Edit tour

Windows Analysis Report
FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg

Overview

General Information

Sample name:	FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg
Analysis ID:	1634345
MD5:	aff08944fccbcba2ee661c6318e4de03
SHA1:	139dad9b65ad32649bfa5855271ce2f7e5e4df7f
SHA256:	0e3efa80baed68b1a2b5f7a8b9bd68f1c3b782ea4b39c5c03738af5dcb695ed9
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected suspicious elements in Email content

Detected hidden input values containing email addresses (often used in phishing pages)

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6996 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6328 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3569BA0A-1677-4D8C-91A0-EBE36D2BE0B9" "DF969B98-AC5A-4E7B-9E04-8DD38B90643F" "6996" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 5384 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1908,i,16986916522686519384,13813070932516774005,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://docs.fortinet.com/document/fortimail/7.4.3/webmail-guide-ibe/index.htm MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6996, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: Email

Joe Sandbox AI: Email contains prominent button: 'click this to access the secure message'

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email claims to be from Texas DPS (noreply@dps.texas.gov) but uses a suspicious external link (mailc.dps.texas.gov) instead of the official texas.gov domain. The message creates urgency around a sensitive administrative license issue and prompts clicking on a suspicious link. The email uses a common phishing tactic of a 'secure message' that requires additional login

Source: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2	HTTP Parser: rsalinas@wcctxlaw.com
Source: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2	HTTP Parser: noreply@dps.texas.gov

Source: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2

HTTP Parser: Number of links: 0

Source: Email

Classification: Credential Stealer

HTTP Parser: <input type="password" .../> found

Source: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2	HTTP Parser: No favicon
Source: https://mailc.dps.texas.gov/ibe	HTTP Parser: No favicon

HTTP Parser: No <meta name="author".. found

HTTP Parser: No <meta name="copyright".. found

Source: global traffic

TCP traffic: 192.168.2.16:52434 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.99
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.122.214
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.99
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.122.214
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2 HTTP/1.1Host: mailc.dps.texas.govConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: mailc.dps.texas.govConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /document/fortimail/7.4.3/webmail-guide-ibe/index.htm HTTP/1.1Host: docs.fortinet.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /document/fortimail/7.4.3/webmail-guide-ibe/index.htm HTTP/1.1Host: docs.fortinet.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /document/fortimail/7.4.3/webmail-guide-ibe/index.htm HTTP/1.1Host: docs.fortinet.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: mailc.dps.texas.gov
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: docs.fortinet.com

Source: unknown

HTTP traffic detected: POST /ibe HTTP/1.1Host: mailc.dps.texas.govConnection: keep-aliveContent-Length: 165Cache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Origin: https://mailc.dps.texas.govContent-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg	String found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg, chromecache_53.10.dr, chromecache_55.10.dr	String found in binary or memory: https://docs.fortinet.com/document/fortimail/7.4.3/webmail-guide-ibe/index.htm
Source: chromecache_53.10.dr, chromecache_55.10.dr	String found in binary or memory: https://mailc.dps.texas.gov
Source: FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg	String found in binary or memory: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgM

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52459
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52451
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52452
Source: unknown	Network traffic detected: HTTP traffic on port 52452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52458
Source: unknown	Network traffic detected: HTTP traffic on port 52458 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52469 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52463 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52465 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52467 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52464
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52465
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52463
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52468
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52469
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52466
Source: unknown	Network traffic detected: HTTP traffic on port 52459 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52467
Source: unknown	Network traffic detected: HTTP traffic on port 52450 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52450
Source: unknown	Network traffic detected: HTTP traffic on port 52466 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52468 -> 443

Source: classification engine

Classification label: mal48.winMSG@28/13@8/4