Malware analysis independert.zip Malicious activity | ANY.RUN

Add for printing

File name:	independert.zip
Full analysis:	https://app.any.run/tasks/be94a4ed-e94a-4c27-883e-f6aef380d0de
Verdict:	Malicious activity
Analysis date:	November 20, 2024, 05:46:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec xor-url generic autoit
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	FD1AF863CD35F991BC23B3FA27F7112D
SHA1:	51D96F068641F1E44CA9860703D1B9A1F3F6A99D
SHA256:	092D8E860B384FA6A0FF48620CF83807A6377AC1AF495E0CA4467A11051CDECC
SSDEEP:	98304:DjFupx580juHn512M6xcBPLx/Ue4D8Mfx9aTOdJ4/wGsC2/IMms5dOcyIMzrR4kS:MpOXC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 4164)
- XORed URL has been found (YARA)
  - msiexec.exe (PID: 6136)
- Executing a file with an untrusted certificate
  - apdproxy.exe (PID: 6952)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 4164)
- Executes as Windows Service
  - VSSVC.exe (PID: 4740)
- Unpacks CAB file
  - expand.exe (PID: 6876)
- Process drops legitimate windows executable
  - expand.exe (PID: 6876)
- Executable content was dropped or overwritten
  - expand.exe (PID: 6876)
  - apdproxy.exe (PID: 6952)
- The process drops C-runtime libraries
  - expand.exe (PID: 6876)
- Starts the AutoIt3 executable file
  - apdproxy.exe (PID: 6952)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 4164)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4164)
  - msiexec.exe (PID: 2480)
- The process uses the downloaded file
  - WinRAR.exe (PID: 4164)
- Reads the computer name
  - msiexec.exe (PID: 2480)
- Checks supported languages
  - msiexec.exe (PID: 2480)
- Manages system restore points
  - SrTasks.exe (PID: 6720)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:01:30 19:31:22
ZipCRC:	0xeced16bf
ZipCompressedSize:	2106236
ZipUncompressedSize:	4157440
ZipFileName:	independert.msi

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2480

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4164

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\independert.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4740

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6136

"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa4164.38686\independert.msi"

C:\Windows\System32\msiexec.exe

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

1603

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6720

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11

C:\Windows\System32\SrTasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6732

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6780

C:\Windows\syswow64\MsiExec.exe -Embedding 21A7D463D203CA88278A1898C99C093A

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6876

"C:\WINDOWS\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Windows\SysWOW64\expand.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

LZ Expansion Utility

Exit code:

Version:

5.00 (WinBuild.160101.0800)

6888

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

expand.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

6952

"C:\Users\admin\AppData\Local\Temp\MW-1edcc488-386d-4621-8f82-bd0d303db408\files\apdproxy.exe"

C:\Users\admin\AppData\Local\Temp\MW-1edcc488-386d-4621-8f82-bd0d303db408\files\apdproxy.exe

msiexec.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe Photoshop Album Starter Edition 3.2 component

Exit code:

Version:

3.2.0.77764

Add for printing

Total events

5 024

Read events

4 861

Write events

154

Delete events

Modification events


(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\independert.zip
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4164) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:	write	Name:	Msi.Package
Value:
(PID) Process:	(2480) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 480000000000000006F02C850F3BDB01B009000098160000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2480	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2480	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:FEF3A6B60B31216DE788C48777D6DC5D	SHA256:1777C9E578037217B192F9EFD5F9DDEE88FEE479CA71F03552073F52631456E2
6780	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MW-1edcc488-386d-4621-8f82-bd0d303db408\msiwrapper.ini		binary
		MD5:F06FF67537186CDB32D072C011D7A8B7	SHA256:AF80A2D0DE729C0B803C20965DCCFC0A91D47E84A33814F3E4FB25B5FDE1EF20
4164	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4164.38686\independert.msi		executable
		MD5:484BEA10F5D2A0C4BDFA342E133033C6	SHA256:846F339F39E82F358FE5D0985AFDE119563754C9A8030DC237EAC1A963A8BBF4
2480	msiexec.exe	C:\Windows\Installer\edf11.msi		executable
		MD5:484BEA10F5D2A0C4BDFA342E133033C6	SHA256:846F339F39E82F358FE5D0985AFDE119563754C9A8030DC237EAC1A963A8BBF4
2480	msiexec.exe	C:\Windows\Installer\MSIE098.tmp		executable
		MD5:D82B3FB861129C5D71F0CD2874F97216	SHA256:107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
2480	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{150952fd-a342-472d-8460-4219423d1066}_OnDiskSnapshotProp		binary
		MD5:FEF3A6B60B31216DE788C48777D6DC5D	SHA256:1777C9E578037217B192F9EFD5F9DDEE88FEE479CA71F03552073F52631456E2
6780	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MW-1edcc488-386d-4621-8f82-bd0d303db408\files.cab		compressed
		MD5:B5A1995210150C6E9D362E967D83B590	SHA256:E0A36182DF70D6AF3289EA7C430874B8281DB531C767BEAB5131F6726F5635A2
6876	expand.exe	C:\Users\admin\AppData\Local\Temp\MW-1edcc488-386d-4621-8f82-bd0d303db408\files\apdproxy.exe		executable
		MD5:FC9E59FE8BC4FE05382CFF5C8FC59DE1	SHA256:A16B93C374E77F98889D7AD7F38B2282DBC5A40511541B9105B1DCF9216C3CF3
6876	expand.exe	C:\Users\admin\AppData\Local\Temp\MW-1edcc488-386d-4621-8f82-bd0d303db408\files\msvcr71.dll		executable
		MD5:86F1895AE8C5E8B17D99ECE768A70732	SHA256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5832	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4932	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4932	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4932	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4932	svchost.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.204.158:443	www.bing.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
www.bing.com	2.16.204.158 2.16.204.138 2.16.204.161 2.16.204.135 2.16.204.148	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.68 20.190.159.64 20.190.159.73 20.190.159.2 20.190.159.0 40.126.31.67 40.126.31.69 20.190.159.23	whitelisted
go.microsoft.com	23.213.166.81	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

independert.zip

FD1AF863CD35F991BC23B3FA27F7112D

51D96F068641F1E44CA9860703D1B9A1F3F6A99D

092D8E860B384FA6A0FF48620CF83807A6377AC1AF495E0CA4467A11051CDECC

98304:DjFupx580juHn512M6xcBPLx/Ue4D8Mfx9aTOdJ4/wGsC2/IMms5dOcyIMzrR4kS:MpOXC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

XORed URL has been found (YARA)

Executing a file with an untrusted certificate

SUSPICIOUS

Reads security settings of Internet Explorer

Executes as Windows Service

Unpacks CAB file

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Starts the AutoIt3 executable file

INFO

Reads Microsoft Office registry keys

Executable content was dropped or overwritten

The process uses the downloaded file

Reads the computer name

Checks supported languages

Manages system restore points

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings