Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Copy of 1- GCP Vendor Information Smart Form Stepan.xlsm

Overview

General Information

Sample name:Copy of 1- GCP Vendor Information Smart Form Stepan.xlsm
Analysis ID:1637562
MD5:a772909f3631fdf422b3f91dcafd1111
SHA1:96ab4154e792ccc9bc1952204aa15a84bb7cc593
SHA256:a190ae42fcb0bd304ffeeea51f4d2b5d57516a9ebe8a44a110b23cffd22ca33b
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
AI detected landing page (webpage, office document or email)
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 6292 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Copy of 1- GCP Vendor Information Smart Form Stepan.xlsm" MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 6636 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.253.72, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6292, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49710
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49710, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6292, Protocol: tcp, SourceIp: 13.107.253.72, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 6292, TargetFilename: C:\Users\user\Desktop\~$Copy of 1- GCP Vendor Information Smart Form Stepan.xlsm

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-13T17:39:30.564777+010020283713Unknown Traffic192.168.2.164971013.107.253.72443TCP
2025-03-13T17:39:39.602265+010020283713Unknown Traffic192.168.2.164971113.107.253.72443TCP
2025-03-13T17:39:40.628396+010020283713Unknown Traffic192.168.2.164971213.107.253.72443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: Screenshot id: 16Joe Sandbox AI: Screenshot id: 16 contains prominent button: 'please click the button to verify or reset the'
Source: Screenshot id: 20Joe Sandbox AI: Screenshot id: 20 contains prominent button: 'please click the button to verify or reset the'
Source: Screenshot id: 6Joe Sandbox AI: Screenshot id: 6 contains prominent button: 'verify'
Source: Screenshot id: 3Joe Sandbox AI: Screenshot id: 3 contains prominent button: 'please click the button to verify or reset the'
Source: Screenshot id: 17Joe Sandbox AI: Screenshot id: 17 contains prominent button: 'please click the button to verify or reset the'
Source: Screenshot id: 7Joe Sandbox AI: Screenshot id: 7 contains prominent button: 'please click the button to verify or reset the'
Source: Screenshot id: 19Joe Sandbox AI: Screenshot id: 19 contains prominent button: 'please click the button to verify or reset the'
Source: Screenshot id: 5Joe Sandbox AI: Screenshot id: 5 contains prominent button: 'verify'
Source: Screenshot id: 18Joe Sandbox AI: Screenshot id: 18 contains prominent button: 'please click the button to verify or reset the'
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49710 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49710
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 192.168.2.16:49711 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49711
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: global trafficTCP traffic: 192.168.2.16:49712 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.16:49712
Source: excel.exeMemory has grown: Private usage: 1MB later: 43MB
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49710 -> 13.107.253.72:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49711 -> 13.107.253.72:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49712 -> 13.107.253.72:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.16:49710 version: TLS 1.2

System Summary

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: screenshotOCR: Enable Content box below. 11 12 GCV VISFAugNlSxls. (Compatibility 13 Benjamin PAGE LAYOUT FORMULA
Source: screenshotOCR: Enable Content box below. 11 12 GCV VISFAugNlSxls. (Compatibility 13 Benjamin PAGE LAYOUT FORMULA
Source: screenshotOCR: Enable Content box below. 11 12 GCV VISFAugNlSxls. (Compatibility 13 Benjamin PAGE LAYOUT FORMULA
Source: screenshotOCR: Enable Content box below. 11 12 GCV VISFAugNlSxls. (Compatibility 13 Benjamin PAGE LAYOUT FORMULA
Source: screenshotOCR: Enable Content box below. 11 12 GCV VISFAugNlSxls. (Compatibility 13 Benjamin PAGE LAYOUT FORMULA
Source: screenshotOCR: Enable Content box below. 11 12 GCV VISFAugNlSxls. (Compatibility 13 Benjamin PAGE LAYOUT FORMULA
Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: .Attachments.Add ActiveWorkbook.FullName
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: .Attachments.Add ActiveWorkbook.FullName
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: ' Mail_PDF_Outlook FileName, "FICO.MDM@grace.com", ActiveWorkbook.Name, "See the attached PDF file", False
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: .Attachments.Add ActiveWorkbook.FullName
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: .Attachments.Add ActiveWorkbook.FullName
Document contains an embedded VBA macro with suspicious strings
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: strHostName = Environ("username")
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: strHostName = Environ("username")
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: Private Sub bnt_Close_Click()
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: Private Sub bnt_Close_Click()
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: ' Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE, VBA macro line: Private Sub bnt_Close_Click()
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal64.troj.expl.evad.winXLSM@3/1@1/70
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Copy of 1- GCP Vendor Information Smart Form Stepan.xlsm
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{B131062B-726E-4D72-8B6D-445F9C9F6BAE} - OProcSessId.dat
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Copy of 1- GCP Vendor Information Smart Form Stepan.xlsm"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet15.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet16.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet17.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet18.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet19.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet20.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet21.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet22.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image5.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image6.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image7.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image8.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image9.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image10.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing7.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing8.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image12.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image14.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image1.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet5.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet6.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet7.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet8.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing4.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet10.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet11.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet12.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image11.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet14.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing5.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/media/image4.png
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet15.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet16.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet17.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet18.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet19.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet20.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet21.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet22.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing5.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing6.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing7.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing8.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet13.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/drawings/drawing6.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp3.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp4.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp5.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp6.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp7.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp8.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp9.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp10.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp11.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = docProps/custom.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings7.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings9.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings10.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings8.bin
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = customXml/item2.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = customXml/itemProps3.xml
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmInitial sample: OLE zip file path = customXml/item3.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmStatic file information: File size 5739366 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Data Obfuscation

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmStream path 'VBA/Module3' : High number of string operations
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmStream path 'VBA/Module4' : High number of string operations
Source: Copy of 1- GCP Vendor Information Smart Form Stepan.xlsmStream path 'VBA/Module5' : High number of string operations
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1163
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 8118
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information32
Scripting		Valid Accounts3
Exploitation for Client Execution		1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job32
Scripting		1
Extra Window Memory Injection		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Virtualization/Sandbox Evasion		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection		Cached Domain Credentials1
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.