Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0-1.eml

Overview

General Information

Sample name:	phish_alert_sp2_2.0.0.0-1.eml
Analysis ID:	1631931
MD5:	eaeafc6901262c2a48f1301f0c9bce8e
SHA1:	fb06799ed7b4343c03659992a2f6661baa3d3afc
SHA256:	c0140d2b25b10be03c08161c6ab71e1ff0333c9ca0483f68341f9dbfd8e8f882
Infos:

Detection

HTMLPhisher

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Yara detected BlockedWebSite

AI detected suspicious elements in Email content

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Form action URLs do not match main URL

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6876 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0-1.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7008 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "86594648-37B9-440F-A1A2-38150CBAD817" "0D02791E-45A9-4E7C-BB4C-3F40A8BB5429" "6876" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 6312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftefmedu.com%2Ftunnel%2Femail-template.html&data=05%7C02%7Cacalhoun%40olgoonik.com%7Cbbfdc19946bd4d5a5e6b08dd5cbb0a23%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638768681195303079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=YCA8wKuMBG5S%2Bt3WDApyUG61MP7P5h8oL6OdO1SpGxI%3D&reserved=0 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,14741038871065509490,9466685374017237812,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_94	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

HTML

Source	Rule	Description	Author	Strings
0.1.pages.csv	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security
0.0.pages.csv	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected BlockedWebSite

Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_94, type: DROPPED

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains repetitive content and formatting which is a common trait of phishing attempts trying to bypass filters. The email contains a suspicious external link to 'tefmedu.com' masked through a protection service. The message is vague about the billing report details and tries to create urgency, which is typical phishing behavior

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: Form action: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638769589277000788.ZmU0MzQ1YTAtODNlMC00N2Y0LTljZWItZTI5ZjAxMDhmMGNmZDFkMWI3MTItMTY5Ni00MGIyLWFjNTgtNTM4MmY1NDY0Nzdm&prompt=none&nopa=2&state=CfDJ8EtdG32FO4NGh0T1bTLSXPScZzOSDVampDJDjYV8aWetzUZ5F3uMGhx7dHv9--0_5zRUVRsBGCNuZfPeU-WLE1lHCmion90_OfH2zB1GCz52E_VynmeYoOwIl5_zV0J5MNpckK-UXiaZygiMjKGCI_kqmbrxgiuM_V9u7TT4r9gO_vrjEYQ7XKp5CCjr6CCvj0PT56pQ4_lsOdkkYwFkJb6ewIOJ--pzc3HMdykAnR5eC09iH1uErvnjuD1X0K_bbyW2fJi0Ii2acUXRtn0KCsDGyP2uRhNhLqO09O1LGkzNaiJwSwl8WnrSjoWWbpP8TFJLdAcq9YFztEZhpRUlJwpIrr1PaLqfo9IKU1dokZ5U&x-client-SKU=ID_NET6_0&x-client-ver=8.3.0.0&sso_reload=true microsoft microsoftonline

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: Number of links: 0

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: Base64 decoded: fe4345a0-83e0-47f4-9ceb-e29f0108f0cfd1d1b712-1696-40b2-ac58-5382f546477f

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: Title: Redirecting does not match URL

Source: Email

Classification: Invoice Scam

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: No favicon

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: No <meta name="author".. found

Source: https://support.microsoft.com/en-us/topic/what-to-do-when-you-are-blocked-from-a-site-and-believe-the-result-is-mistaken-6f41d3fd-55d3-467e-a5a4-49da4132bb9c

HTTP Parser: No <meta name="copyright".. found

Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:63769 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.195
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.195
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?url=http%3A%2F%2Ftefmedu.com%2Ftunnel%2Femail-template.html&data=05%7C02%7Cacalhoun%40olgoonik.com%7Cbbfdc19946bd4d5a5e6b08dd5cbb0a23%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638768681195303079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=YCA8wKuMBG5S%2Bt3WDApyUG61MP7P5h8oL6OdO1SpGxI%3D&reserved=0 HTTP/1.1Host: nam04.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Content/Scripts/safelinksv2.css HTTP/1.1Host: nam04.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftefmedu.com%2Ftunnel%2Femail-template.html&data=05%7C02%7Cacalhoun%40olgoonik.com%7Cbbfdc19946bd4d5a5e6b08dd5cbb0a23%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638768681195303079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=YCA8wKuMBG5S%2Bt3WDApyUG61MP7P5h8oL6OdO1SpGxI%3D&reserved=0Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Content/Scripts/site.js HTTP/1.1Host: nam04.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftefmedu.com%2Ftunnel%2Femail-template.html&data=05%7C02%7Cacalhoun%40olgoonik.com%7Cbbfdc19946bd4d5a5e6b08dd5cbb0a23%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638768681195303079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=YCA8wKuMBG5S%2Bt3WDApyUG61MP7P5h8oL6OdO1SpGxI%3D&reserved=0Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Content/images/cross.png HTTP/1.1Host: nam04.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftefmedu.com%2Ftunnel%2Femail-template.html&data=05%7C02%7Cacalhoun%40olgoonik.com%7Cbbfdc19946bd4d5a5e6b08dd5cbb0a23%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638768681195303079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=YCA8wKuMBG5S%2Bt3WDApyUG61MP7P5h8oL6OdO1SpGxI%3D&reserved=0Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Content/images/cross.png HTTP/1.1Host: nam04.safelinks.protection.outlook.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.shared.analytics.mectrl-3.gbl.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveOrigin: https://support.microsoft.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://support.microsoft.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c13cb6fd407&redirect_uri=https%3A%2F%2Fsupport.microsoft.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=638769589277000788.ZmU0MzQ1YTAtODNlMC00N2Y0LTljZWItZTI5ZjAxMDhmMGNmZDFkMWI3MTItMTY5Ni00MGIyLWFjNTgtNTM4MmY1NDY0Nzdm&prompt=none&nopa=2&state=CfDJ8EtdG32FO4NGh0T1bTLSXPScZzOSDVampDJDjYV8aWetzUZ5F3uMGhx7dHv9--0_5zRUVRsBGCNuZfPeU-WLE1lHCmion90_OfH2zB1GCz52E_VynmeYoOwIl5_zV0J5MNpckK-UXiaZygiMjKGCI_kqmbrxgiuM_V9u7TT4r9gO_vrjEYQ7XKp5CCjr6CCvj0PT56pQ4_lsOdkkYwFkJb6ewIOJ--pzc3HMdykAnR5eC09iH1uErvnjuD1X0K_bbyW2fJi0Ii2acUXRtn0KCsDGyP2uRhNhLqO09O1LGkzNaiJwSwl8WnrSjoWWbpP8TFJLdAcq9YFztEZhpRUlJwpIrr1PaLqfo9IKU1dokZ5U&x-client-SKU=ID_NET6_0&x-client-ver=8.3.0.0 HTTP/1.1Host: login.microsoftonline.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://support.microsoft.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: nam04.safelinks.protection.outlook.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: mem.gfx.ms
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: c.s-microsoft.com
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63791
Source: unknown	Network traffic detected: HTTP traffic on port 63772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63845
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 63777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63793
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63831

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir6312_1060667029

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6312_1060667029

Source: classification engine

Classification label: mal52.phis.winEML@24/45@18/157