File name:

independert.msi

Full analysis: https://app.any.run/tasks/265b359c-6bbf-4f7a-94fa-091dabafcf1e
Verdict: Malicious activity
Analysis date: December 07, 2024, 21:41:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
xor-url
generic
autoit
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Adobe Photoshop Album Starter Edition - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 3.2.0.12228, Subject: Adobe Photoshop Album Starter Edition - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Adobe Systems Incorporated, Keywords: Installer, Template: Intel;1033, Revision Number: {D07707F8-A6C1-4451-9ECB-911D62F0C679}, Create Time/Date: Sat Jul 23 12:01:26 2022, Last Saved Time/Date: Sat Jul 23 12:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
MD5:

484BEA10F5D2A0C4BDFA342E133033C6

SHA1:

6860971D489198DF13C64A295999BA3CC7C9C654

SHA256:

846F339F39E82F358FE5D0985AFDE119563754C9A8030DC237EAC1A963A8BBF4

SSDEEP:

98304:nU305CHdPQOinvYWWCSbpx2sBFmh5TV+UHqbMGHy+pz3FpjHRycPNGoe8N+expxL:nM3XTJs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • msiexec.exe (PID: 6264)
      • msiexec.exe (PID: 6380)

    • Executing a file with an untrusted certificate

      • apdproxy.exe (PID: 1580)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6428)

    • Unpacks CAB file

      • expand.exe (PID: 6180)

    • Process drops legitimate windows executable

      • expand.exe (PID: 6180)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 6180)
      • apdproxy.exe (PID: 1580)

    • The process drops C-runtime libraries

      • expand.exe (PID: 6180)

    • Starts the AutoIt3 executable file

      • apdproxy.exe (PID: 1580)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6264)

    • Reads the computer name

      • msiexec.exe (PID: 6380)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6380)

    • Manages system restore points

      • SrTasks.exe (PID: 7044)

    • Checks supported languages

      • msiexec.exe (PID: 6380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Title: Adobe Photoshop Album Starter Edition - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 3.2.0.12228
Subject: Adobe Photoshop Album Starter Edition - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
Author: Adobe Systems Incorporated
Keywords: Installer
Template: Intel;1033
RevisionNumber: {D07707F8-A6C1-4451-9ECB-911D62F0C679}
CreateDate: 2022:07:23 12:01:26
ModifyDate: 2022:07:23 12:01:26
Pages: 200
Words: 12
Software: MSI Wrapper (10.0.51.0)
Security: Read-only recommended
CodePage: Windows Latin 1 (Western European)
LocaleIndicator: 1033
Company: Adobe Systems Incorporated
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #XOR-URL msiexec.exe no specs #XOR-URL msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs expand.exe conhost.exe no specs apdproxy.exe autoit3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\MW-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\files\apdproxy.exe" C:\Users\admin\AppData\Local\Temp\MW-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\files\apdproxy.exe
msiexec.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Photoshop Album Starter Edition 3.2 component
Exit code:
0
Version:
3.2.0.77764
Modules
Images
c:\users\admin\appdata\local\temp\mw-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\files\apdproxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeexpand.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6180"C:\WINDOWS\system32\EXPAND.EXE" -R files.cab -F:* filesC:\Windows\SysWOW64\expand.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
6216"c:\temp\Autoit3.exe" c:\temp\script.au3C:\temp\Autoit3.exeapdproxy.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\temp\autoit3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6264"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\independert.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6380C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6428C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7044C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7128C:\Windows\syswow64\MsiExec.exe -Embedding 1A1029F6E2D44ECB0C5E3DDF1BA6C41FC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
3 715
Read events
3 532
Write events
170
Delete events
13

Modification events

(PID) Process:(6380) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000004A4DFDDCF048DB01EC1800000C190000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6380) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000004A4DFDDCF048DB01EC1800000C190000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6380) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000007A1A5ADDF048DB01EC1800000C190000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6380) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000007A1A5ADDF048DB01EC1800000C190000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6380) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000006BE65EDDF048DB01EC1800000C190000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6380) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000C8FE65DDF048DB01EC1800000C190000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6428) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000DE010DDEF048DB011C1900003C190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6428) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000AA510FDEF048DB011C190000D4190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6428) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000AA510FDEF048DB011C19000038190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6428) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000AA510FDEF048DB011C190000DC190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
12
Suspicious files
16
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6380msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6380msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:B478C1C85F24C193D37C02F9619F391C
SHA256:F0063638B20701AC0BE5A83D42757F3A3F4FBE18719C4D9335764C708F729355
7128msiexec.exeC:\Users\admin\AppData\Local\Temp\MW-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\files.cabcompressed
MD5:B5A1995210150C6E9D362E967D83B590
SHA256:E0A36182DF70D6AF3289EA7C430874B8281DB531C767BEAB5131F6726F5635A2
6380msiexec.exeC:\Windows\Installer\13b902.msiexecutable
MD5:484BEA10F5D2A0C4BDFA342E133033C6
SHA256:846F339F39E82F358FE5D0985AFDE119563754C9A8030DC237EAC1A963A8BBF4
6380msiexec.exeC:\Windows\Installer\MSIBB45.tmpexecutable
MD5:D82B3FB861129C5D71F0CD2874F97216
SHA256:107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
7128msiexec.exeC:\Users\admin\AppData\Local\Temp\MW-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\msiwrapper.inibinary
MD5:FBC1F62F836FE864A0B32FAF2C5E548A
SHA256:88D839C9531A23A9E449613E757AC801DD676A59C77CC04A581B510BC7B945A9
6380msiexec.exeC:\Windows\Temp\~DF4CF6229599FAB019.TMPbinary
MD5:3C3337CD183639C93E673888938FFDA0
SHA256:9C29255910DDAFDA03B2C1CA8853EB85A24A65DE65872AFD7EDBC1D3721C736B
6180expand.exeC:\Users\admin\AppData\Local\Temp\MW-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\files\apdproxy.exeexecutable
MD5:FC9E59FE8BC4FE05382CFF5C8FC59DE1
SHA256:A16B93C374E77F98889D7AD7F38B2282DBC5A40511541B9105B1DCF9216C3CF3
6380msiexec.exeC:\Windows\Installer\SourceHash{4475B07E-B24B-45AB-9BE0-ED99A7F14744}binary
MD5:265656884D6BF6051F19D958C7CB6B73
SHA256:9EF1818A9AC168DADCD8B7D16874A4658DAF80470DCC56BD1C6809E1405B9260
6180expand.exeC:\Users\admin\AppData\Local\Temp\MW-22fb7a87-fa4e-44e9-a83d-e3fde51db22b\files\msvcp71.dllexecutable
MD5:561FA2ABB31DFA8FAB762145F81667C2
SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3032
RUXIMICS.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2548
svchost.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2548
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2548
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3032
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2548
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3032
RUXIMICS.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.133
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.125.143
whitelisted
self.events.data.microsoft.com
  • 13.70.79.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
independert.msi