Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 14:35
Static task
static1
Behavioral task
behavioral1
Sample
3432.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3432.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
General
-
Target
3432.xlsx
-
Size
133KB
-
MD5
53ca1cb055fc378db64fb5da2be2dffe
-
SHA1
660385a656c78e079c9c5969c6cb8a490d2271df
-
SHA256
dccbc6302f527a55848059cfbd9345e9697dfd9ce1a010b620c12a56db76e062
-
SHA512
66442c4f67edc443143298418ac87a635dfd1a5613e2cc48fc3a5d449b2124a1ed9a5d4d75df723fe5ae239f2d49f3a517612268ab864a8eefd9995902a03a86
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
msedge.exemsedge.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 64 4528 msedge.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1808 4528 msedge.exe EXCEL.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9c4e4059-b595-4403-84bf-d45489f000a1.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220712143643.pma setup.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEmsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4528 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 5096 msedge.exe 5096 msedge.exe 64 msedge.exe 64 msedge.exe 3864 identity_helper.exe 3864 identity_helper.exe 5640 msedge.exe 5640 msedge.exe 5640 msedge.exe 5640 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 64 msedge.exe 64 msedge.exe 64 msedge.exe 64 msedge.exe 64 msedge.exe 64 msedge.exe 64 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 64 msedge.exe 64 msedge.exe 64 msedge.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE 4528 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXEmsedge.exedescription pid process target process PID 4528 wrote to memory of 64 4528 EXCEL.EXE msedge.exe PID 4528 wrote to memory of 64 4528 EXCEL.EXE msedge.exe PID 64 wrote to memory of 552 64 msedge.exe msedge.exe PID 64 wrote to memory of 552 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 1296 64 msedge.exe msedge.exe PID 64 wrote to memory of 5096 64 msedge.exe msedge.exe PID 64 wrote to memory of 5096 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe PID 64 wrote to memory of 4912 64 msedge.exe msedge.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3432.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/v3/signin/identifier?dsh=S755347057%3A1657636589946343&continue=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&followup=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AX3vH3_hrXO1iKcX-uBVlNjr0yT6OiSlI7NBybrt1B2VqqdT61nv1GfCfLE8NJpMMamC579JwdJPbQ2⤵
- Process spawned unexpected child process
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff818ef46f8,0x7ff818ef4708,0x7ff818ef47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70d0b5460,0x7ff70d0b5470,0x7ff70d0b54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5636 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1044 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/v3/signin/identifier?dsh=S-1307971554%3A1657636595111507&continue=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&followup=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AX3vH3_VTiKWGZUrZXsNAS4QdysTPezd3-ToVA847F5ricWYbjl1BW537uMug61cQV4SH0KdE4Ix2⤵
- Process spawned unexpected child process
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff818ef46f8,0x7ff818ef4708,0x7ff818ef47183⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5e4bf91bddcb594ce03b19a0766b7e082
SHA1883aa813de71f04406b7fdf24ad0ee3b76585745
SHA2562fa63b331a7664f45a8cffd1b8aa8cfd1b66cfdea8a59f17806b52159ff678d9
SHA5126a0d03940be8be33df3520703d2509e0f1dcaee8e4548c9a00e1b88c1fc8e448ec1825f610214e43566b5b54620bfab5a6749cd0f24ee5c1002352537a435bbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_C668445AACCF7A560A7B569C97BA4550Filesize
471B
MD5b886d3c072cf19c981d522084269df07
SHA167530d5bf79c037aab329dee86e11e28e28a6dc6
SHA256a88284cd36e19ceaa6a849e6b6ef7caff9bf2fce5cbe98659fe3a7438ea9ef8b
SHA51242f9596d71e904a47c1325d47ec9622405945805da8df9660fa5b4361e244df657410c6311a6305e14484e1da78422b2381639a0f9cf1175f79f0a26881f4fcd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_D286E324D13B58F35DA77B01A840D7C0Filesize
472B
MD5b4447af54ff22e7bf5dc6db8992b8eb4
SHA181688ab45d876c3aa458b5167f9da115c1ac4614
SHA256034c27e0d12b889b7a4578424eac67a0a390af43ae453d2e89586a344892cd48
SHA51207e3f89e46e0b287b4dae5dd27e0cab5fae7eabbcbb1113f0670512298e7dca01b7044062ed380ad7e9e30f1c03212da852433e75e532330ba6b785d1239b119
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD5b36176d60935bce0a7ec7a4d2d441f5c
SHA1c245943f1c133e4f904424c1e8dccfca2ef07b0c
SHA256ecad7b166bb92ce4677ae799413b48f7821f382de02822d187ad61afeb058f9e
SHA5125fde4ba18c91fa664936a0f7c985612a7bff99d380fbee7c2b3f1ecbf2fd6c141898ee370484f672af975ad9a22b689e2e60e2aa06d02434f25c8b7a5aaed516
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD55a11c6099b9e5808dfb08c5c9570c92f
SHA1e5dc219641146d1839557973f348037fa589fd18
SHA25691291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172
SHA512c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD50cea869910eed79a5e44bff5c4901d89
SHA1ae6d6e180dc99110a1268ca6bc6e3daa054b1f7e
SHA256b151934ca1d3b96c1aa3c03432b6b47deada094e11ea03e61a3000c5b546e389
SHA512a4b69788638a18e4770eb12cd009dfd46b90d4616f33196574f7c5c56c9cdd17839208abb8567276ac612d25c4cd14601c4000c767be6f5b68da34dc9b6fc265
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_C668445AACCF7A560A7B569C97BA4550Filesize
406B
MD54d448fc8e1ee84a32dc3952784c2306a
SHA192bfbcc220d3b3b8ea16ff25f750121fcbebebf6
SHA256a72f013008a4bacbe6196d77a6f55c72b7c9cfae4b7802046363e28083cca5bd
SHA5121b555c6a92e66f1acd79d8e9fcd9c1a11cd36fc18c2db5b16f1333020163d0bff3d185c6d851a550be98e959e5d8682ceb89b6e8043ad55ccfc81ee4d10b13bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_D286E324D13B58F35DA77B01A840D7C0Filesize
406B
MD5f48a798a2b24c4ec1c210ecd21daa9d5
SHA12b8b016cf322c890ea18f5a3c2c2918771874623
SHA2568a5569f2bb4364f4f59657d7e5bf7f974dedd90c37cabf7daa7f70133e11025c
SHA512738e4d3b259e365a74ca7241da9bba91833ebdd30dbc796891abb7430d8f30a107cdcd5b32bf06a0a747cf4cef09862bad416c241474cc4e1c720ac23d800c7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
412B
MD573f8a081d1cce24e596cba32c3420046
SHA113103456900874e697622d39ac9fdef4b43f5397
SHA2562ee51eb87b2572a181d183e868fbce3a4f080eb9c72944af3f5ae730e614f24c
SHA512dae66257d86471d474fccb93fef81a20d104815cb875152f24858171666bcac9df084ae29e4b05dcc395d19b5b4470cf4102f2a19b1907688424c718400af305
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD539165f68522853868d259b0a8f8bb5f9
SHA1cdb3d31898c52998375434d710cc19c23007793e
SHA256068bf64b1435dc69024f062cf8b9cfc266d84e7f778161dbe6d22421b6982399
SHA512fb38637fa9d6b5be3c6234da9fc18e841f5d88caf0d8f7ced38ff0b9989c81dea8b3ae6580eae7905e788c026e9d373692ad66976fd5924b97a9d16414edd451
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5246515b4eb30d26c707924b86d457581
SHA14186c1ef3f36c8300c779a717f1757d9aebc947b
SHA2569913e2b5bbd8cf69f88b50c22f6e4ede92b63b3b4af794efd0c873faaa481107
SHA51294d776aa4d0f54e94ac45873bcfb87462ecb5c29adb82bc3c9af7da11d74c3736841e43203c4a87a50981ad8a4539a973d9d396e75f6e3b138e74626701dc778
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5006025b816d32f1c02542b14f3cc265c
SHA1ff19761346d8368e35d9c173423cfa3efa4e0ee7
SHA256b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b
SHA51216566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b
-
\??\pipe\LOCAL\crashpad_64_UPGRDLHEAOGKYHLTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/64-137-0x0000000000000000-mapping.dmp
-
memory/552-138-0x0000000000000000-mapping.dmp
-
memory/756-176-0x0000000000000000-mapping.dmp
-
memory/1296-140-0x0000000000000000-mapping.dmp
-
memory/1632-168-0x0000000000000000-mapping.dmp
-
memory/1808-149-0x0000000000000000-mapping.dmp
-
memory/1880-150-0x0000000000000000-mapping.dmp
-
memory/2476-164-0x0000000000000000-mapping.dmp
-
memory/2488-178-0x0000000000000000-mapping.dmp
-
memory/2756-172-0x0000000000000000-mapping.dmp
-
memory/3104-153-0x0000000000000000-mapping.dmp
-
memory/3716-146-0x0000000000000000-mapping.dmp
-
memory/3764-177-0x0000000000000000-mapping.dmp
-
memory/3864-179-0x0000000000000000-mapping.dmp
-
memory/4024-166-0x0000000000000000-mapping.dmp
-
memory/4064-174-0x0000000000000000-mapping.dmp
-
memory/4528-136-0x00007FF8013C0000-0x00007FF8013D0000-memory.dmpFilesize
64KB
-
memory/4528-132-0x00007FF803530000-0x00007FF803540000-memory.dmpFilesize
64KB
-
memory/4528-134-0x00007FF803530000-0x00007FF803540000-memory.dmpFilesize
64KB
-
memory/4528-133-0x00007FF803530000-0x00007FF803540000-memory.dmpFilesize
64KB
-
memory/4528-130-0x00007FF803530000-0x00007FF803540000-memory.dmpFilesize
64KB
-
memory/4528-131-0x00007FF803530000-0x00007FF803540000-memory.dmpFilesize
64KB
-
memory/4528-135-0x00007FF8013C0000-0x00007FF8013D0000-memory.dmpFilesize
64KB
-
memory/4872-148-0x0000000000000000-mapping.dmp
-
memory/4912-143-0x0000000000000000-mapping.dmp
-
memory/5096-141-0x0000000000000000-mapping.dmp
-
memory/5396-181-0x0000000000000000-mapping.dmp
-
memory/5468-183-0x0000000000000000-mapping.dmp
-
memory/5532-185-0x0000000000000000-mapping.dmp
-
memory/5640-186-0x0000000000000000-mapping.dmp
-
memory/5696-188-0x0000000000000000-mapping.dmp