dccbc6302f527a55848059cfbd9345e9697dfd9ce1a010b620c12a56db76e062

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-07-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3432.xlsx
Size

133KB
MD5

53ca1cb055fc378db64fb5da2be2dffe
SHA1

660385a656c78e079c9c5969c6cb8a490d2271df
SHA256

dccbc6302f527a55848059cfbd9345e9697dfd9ce1a010b620c12a56db76e062
SHA512

66442c4f67edc443143298418ac87a635dfd1a5613e2cc48fc3a5d449b2124a1ed9a5d4d75df723fe5ae239f2d49f3a517612268ab864a8eefd9995902a03a86

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

msedge.exemsedge.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	64	4528	msedge.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1808	4528	msedge.exe	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9c4e4059-b595-4403-84bf-d45489f000a1.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220712143643.pma	setup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEmsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4528 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5096	msedge.exe
5096	msedge.exe
64	msedge.exe
64	msedge.exe
3864	identity_helper.exe
3864	identity_helper.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

64 msedge.exe
64 msedge.exe
64 msedge.exe
64 msedge.exe
64 msedge.exe
64 msedge.exe
64 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

64 msedge.exe
64 msedge.exe
64 msedge.exe

pid	process
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe

pid	process
64	msedge.exe
64	msedge.exe
64	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmsedge.exe

description	pid	process	target process
PID 4528 wrote to memory of 64	4528	EXCEL.EXE	msedge.exe
PID 4528 wrote to memory of 64	4528	EXCEL.EXE	msedge.exe
PID 64 wrote to memory of 552	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 552	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 1296	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 5096	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 5096	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe
PID 64 wrote to memory of 4912	64	msedge.exe	msedge.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3432.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/v3/signin/identifier?dsh=S755347057%3A1657636589946343&continue=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&followup=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AX3vH3_hrXO1iKcX-uBVlNjr0yT6OiSlI7NBybrt1B2VqqdT61nv1GfCfLE8NJpMMamC579JwdJPbQ
2⤵
- Process spawned unexpected child process
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff818ef46f8,0x7ff818ef4708,0x7ff818ef4718
3⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
3⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
3⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
3⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
3⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
3⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
3⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 /prefetch:8
3⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 /prefetch:8
3⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
3⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
3⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
3⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70d0b5460,0x7ff70d0b5470,0x7ff70d0b5480
4⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5636 /prefetch:8
3⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1044 /prefetch:8
3⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,3894054838612769028,5553446341625072605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
3⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/v3/signin/identifier?dsh=S-1307971554%3A1657636595111507&continue=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&followup=https%3A%2F%2Fsites.google.com%2Fview%2Fdouments%2Fexcel-online&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&ifkv=AX3vH3_VTiKWGZUrZXsNAS4QdysTPezd3-ToVA847F5ricWYbjl1BW537uMug61cQV4SH0KdE4Ix
2⤵
- Process spawned unexpected child process
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff818ef46f8,0x7ff818ef4708,0x7ff818ef4718
3⤵
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
e4bf91bddcb594ce03b19a0766b7e082

SHA1
883aa813de71f04406b7fdf24ad0ee3b76585745

SHA256
2fa63b331a7664f45a8cffd1b8aa8cfd1b66cfdea8a59f17806b52159ff678d9

SHA512
6a0d03940be8be33df3520703d2509e0f1dcaee8e4548c9a00e1b88c1fc8e448ec1825f610214e43566b5b54620bfab5a6749cd0f24ee5c1002352537a435bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_C668445AACCF7A560A7B569C97BA4550
Filesize
471B

MD5
b886d3c072cf19c981d522084269df07

SHA1
67530d5bf79c037aab329dee86e11e28e28a6dc6

SHA256
a88284cd36e19ceaa6a849e6b6ef7caff9bf2fce5cbe98659fe3a7438ea9ef8b

SHA512
42f9596d71e904a47c1325d47ec9622405945805da8df9660fa5b4361e244df657410c6311a6305e14484e1da78422b2381639a0f9cf1175f79f0a26881f4fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_D286E324D13B58F35DA77B01A840D7C0
Filesize
472B

MD5
b4447af54ff22e7bf5dc6db8992b8eb4

SHA1
81688ab45d876c3aa458b5167f9da115c1ac4614

SHA256
034c27e0d12b889b7a4578424eac67a0a390af43ae453d2e89586a344892cd48

SHA512
07e3f89e46e0b287b4dae5dd27e0cab5fae7eabbcbb1113f0670512298e7dca01b7044062ed380ad7e9e30f1c03212da852433e75e532330ba6b785d1239b119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
b36176d60935bce0a7ec7a4d2d441f5c

SHA1
c245943f1c133e4f904424c1e8dccfca2ef07b0c

SHA256
ecad7b166bb92ce4677ae799413b48f7821f382de02822d187ad61afeb058f9e

SHA512
5fde4ba18c91fa664936a0f7c985612a7bff99d380fbee7c2b3f1ecbf2fd6c141898ee370484f672af975ad9a22b689e2e60e2aa06d02434f25c8b7a5aaed516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
0cea869910eed79a5e44bff5c4901d89

SHA1
ae6d6e180dc99110a1268ca6bc6e3daa054b1f7e

SHA256
b151934ca1d3b96c1aa3c03432b6b47deada094e11ea03e61a3000c5b546e389

SHA512
a4b69788638a18e4770eb12cd009dfd46b90d4616f33196574f7c5c56c9cdd17839208abb8567276ac612d25c4cd14601c4000c767be6f5b68da34dc9b6fc265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_C668445AACCF7A560A7B569C97BA4550
Filesize
406B

MD5
4d448fc8e1ee84a32dc3952784c2306a

SHA1
92bfbcc220d3b3b8ea16ff25f750121fcbebebf6

SHA256
a72f013008a4bacbe6196d77a6f55c72b7c9cfae4b7802046363e28083cca5bd

SHA512
1b555c6a92e66f1acd79d8e9fcd9c1a11cd36fc18c2db5b16f1333020163d0bff3d185c6d851a550be98e959e5d8682ceb89b6e8043ad55ccfc81ee4d10b13bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_D286E324D13B58F35DA77B01A840D7C0
Filesize
406B

MD5
f48a798a2b24c4ec1c210ecd21daa9d5

SHA1
2b8b016cf322c890ea18f5a3c2c2918771874623

SHA256
8a5569f2bb4364f4f59657d7e5bf7f974dedd90c37cabf7daa7f70133e11025c

SHA512
738e4d3b259e365a74ca7241da9bba91833ebdd30dbc796891abb7430d8f30a107cdcd5b32bf06a0a747cf4cef09862bad416c241474cc4e1c720ac23d800c7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
73f8a081d1cce24e596cba32c3420046

SHA1
13103456900874e697622d39ac9fdef4b43f5397

SHA256
2ee51eb87b2572a181d183e868fbce3a4f080eb9c72944af3f5ae730e614f24c

SHA512
dae66257d86471d474fccb93fef81a20d104815cb875152f24858171666bcac9df084ae29e4b05dcc395d19b5b4470cf4102f2a19b1907688424c718400af305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
39165f68522853868d259b0a8f8bb5f9

SHA1
cdb3d31898c52998375434d710cc19c23007793e

SHA256
068bf64b1435dc69024f062cf8b9cfc266d84e7f778161dbe6d22421b6982399

SHA512
fb38637fa9d6b5be3c6234da9fc18e841f5d88caf0d8f7ced38ff0b9989c81dea8b3ae6580eae7905e788c026e9d373692ad66976fd5924b97a9d16414edd451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
246515b4eb30d26c707924b86d457581

SHA1
4186c1ef3f36c8300c779a717f1757d9aebc947b

SHA256
9913e2b5bbd8cf69f88b50c22f6e4ede92b63b3b4af794efd0c873faaa481107

SHA512
94d776aa4d0f54e94ac45873bcfb87462ecb5c29adb82bc3c9af7da11d74c3736841e43203c4a87a50981ad8a4539a973d9d396e75f6e3b138e74626701dc778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
\??\pipe\LOCAL\crashpad_64_UPGRDLHEAOGKYHLT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-137-0x0000000000000000-mapping.dmp

Download
memory/552-138-0x0000000000000000-mapping.dmp

Download
memory/756-176-0x0000000000000000-mapping.dmp

Download
memory/1296-140-0x0000000000000000-mapping.dmp

Download
memory/1632-168-0x0000000000000000-mapping.dmp

Download
memory/1808-149-0x0000000000000000-mapping.dmp

Download
memory/1880-150-0x0000000000000000-mapping.dmp

Download
memory/2476-164-0x0000000000000000-mapping.dmp

Download
memory/2488-178-0x0000000000000000-mapping.dmp

Download
memory/2756-172-0x0000000000000000-mapping.dmp

Download
memory/3104-153-0x0000000000000000-mapping.dmp

Download
memory/3716-146-0x0000000000000000-mapping.dmp

Download
memory/3764-177-0x0000000000000000-mapping.dmp

Download
memory/3864-179-0x0000000000000000-mapping.dmp

Download
memory/4024-166-0x0000000000000000-mapping.dmp

Download
memory/4064-174-0x0000000000000000-mapping.dmp

Download
memory/4528-136-0x00007FF8013C0000-0x00007FF8013D0000-memory.dmp

Filesize
64KB

Download
memory/4528-132-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4528-134-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4528-133-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4528-130-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4528-131-0x00007FF803530000-0x00007FF803540000-memory.dmp

Filesize
64KB

Download
memory/4528-135-0x00007FF8013C0000-0x00007FF8013D0000-memory.dmp

Filesize
64KB

Download
memory/4872-148-0x0000000000000000-mapping.dmp

Download
memory/4912-143-0x0000000000000000-mapping.dmp

Download
memory/5096-141-0x0000000000000000-mapping.dmp

Download
memory/5396-181-0x0000000000000000-mapping.dmp

Download
memory/5468-183-0x0000000000000000-mapping.dmp

Download
memory/5532-185-0x0000000000000000-mapping.dmp

Download
memory/5640-186-0x0000000000000000-mapping.dmp

Download
memory/5696-188-0x0000000000000000-mapping.dmp

Download