Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
Serbia_Vendor_Creation_1.xlsx
|
Microsoft Excel 2007+
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40AD1EBD.png
|
PNG image data, 918 x 680, 8-bit/color RGBA, non-interlaced
|
modified
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C4E2997.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B44946AC.png
|
PNG image data, 423 x 695, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\6B9E.tmp
|
Microsoft Excel 2007+
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\6B9E.tmp:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx
|
data
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
fo.
|
||
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel
|
Enabled
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2822A
|
2822A
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
ej.
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
There are 4 hidden registries, click here to show them.