File name:

power.exe

Full analysis: https://app.any.run/tasks/428d6f3f-d805-450c-aa23-edfe76b85857
Verdict: Malicious activity
Analysis date: August 07, 2024, 16:44:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

53E8D1C8B51A16C183CF3C448D9669D4

SHA1:

2A83265CD724F1C9A60F4391136F97FA9D25502D

SHA256:

61BBD85A0DCA5A80D214BD0B57E81C22107594B680C899D039CB8F075C65416A

SSDEEP:

98304:mB0I5/udvsufk3LJzhLd3rZKL43YQK+blKYn:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • power.exe (PID: 6836)
      • installer.exe (PID: 6260)
      • installer.tmp (PID: 3276)
      • msiexec.exe (PID: 6644)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • power.exe (PID: 6836)

    • Reads security settings of Internet Explorer

      • power.exe (PID: 6836)
      • ApowerMirror.exe (PID: 6796)

    • Executable content was dropped or overwritten

      • installer.exe (PID: 6260)
      • installer.tmp (PID: 3276)

    • Reads the Windows owner or organization settings

      • installer.tmp (PID: 3276)
      • msiexec.exe (PID: 6644)

    • Starts CMD.EXE for commands execution

      • installer.tmp (PID: 3276)
      • cmd.exe (PID: 4824)
      • cmd.exe (PID: 6600)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7100)
      • installer.tmp (PID: 3276)

    • Get information on the list of running processes

      • cmd.exe (PID: 4824)
      • cmd.exe (PID: 6600)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 420)

    • Executing commands from a ".bat" file

      • installer.tmp (PID: 3276)

    • Application launched itself

      • cmd.exe (PID: 4824)
      • cmd.exe (PID: 6600)

    • Drops 7-zip archiver for unpacking

      • installer.tmp (PID: 3276)

    • Process drops legitimate windows executable

      • installer.tmp (PID: 3276)
      • msiexec.exe (PID: 6644)

    • The process drops C-runtime libraries

      • installer.tmp (PID: 3276)

    • Searches for installed software

      • installer.tmp (PID: 3276)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6644)

    • Checks for Java to be installed

      • msiexec.exe (PID: 6908)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 6644)

    • Executes as Windows Service

      • mDNSResponder.exe (PID: 6344)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • installer.tmp (PID: 3276)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • installer.tmp (PID: 3276)

    • Changes Internet Explorer settings (feature browser emulation)

      • installer.tmp (PID: 3276)

    • Reads Microsoft Outlook installation path

      • ApowerMirror.exe (PID: 6796)

    • There is functionality for taking screenshot (YARA)

      • ApowerMirror.exe (PID: 6796)

    • Reads Internet Explorer settings

      • ApowerMirror.exe (PID: 6796)

  • INFO

    • Creates files in the program directory

      • power.exe (PID: 6836)
      • installer.tmp (PID: 3276)
      • ApowerMirror.exe (PID: 6796)

    • Reads the computer name

      • power.exe (PID: 6836)
      • installer.tmp (PID: 3276)
      • msiexec.exe (PID: 6644)
      • msiexec.exe (PID: 6560)
      • msiexec.exe (PID: 6908)
      • msiexec.exe (PID: 2088)
      • mDNSResponder.exe (PID: 6344)
      • ApowerMirror.exe (PID: 6796)
      • identity_helper.exe (PID: 4296)

    • Create files in a temporary directory

      • power.exe (PID: 6836)
      • installer.tmp (PID: 3276)
      • installer.exe (PID: 6260)

    • Checks supported languages

      • power.exe (PID: 6836)
      • installer.tmp (PID: 3276)
      • installer.exe (PID: 6260)
      • msiexec.exe (PID: 6644)
      • msiexec.exe (PID: 6908)
      • msiexec.exe (PID: 6560)
      • msiexec.exe (PID: 2088)
      • mDNSResponder.exe (PID: 6344)
      • ApowerMirror.exe (PID: 6796)
      • identity_helper.exe (PID: 4296)
      • adb.exe (PID: 3972)

    • Checks proxy server information

      • power.exe (PID: 6836)
      • msiexec.exe (PID: 6908)
      • ApowerMirror.exe (PID: 6796)

    • Process checks computer location settings

      • power.exe (PID: 6836)
      • ApowerMirror.exe (PID: 6796)

    • Creates files or folders in the user directory

      • installer.tmp (PID: 3276)
      • msiexec.exe (PID: 6644)
      • ApowerMirror.exe (PID: 6796)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6644)
      • ApowerMirror.exe (PID: 6796)

    • Reads the software policy settings

      • msiexec.exe (PID: 6644)
      • ApowerMirror.exe (PID: 6796)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6644)

    • Application launched itself

      • msiexec.exe (PID: 6644)
      • msedge.exe (PID: 904)
      • msedge.exe (PID: 5956)

    • Creates a software uninstall entry

      • installer.tmp (PID: 3276)
      • msiexec.exe (PID: 6644)

    • Manual execution by a user

      • msedge.exe (PID: 5956)
      • ApowerMirror.exe (PID: 6796)

    • Reads Microsoft Office registry keys

      • power.exe (PID: 6836)
      • msedge.exe (PID: 904)
      • msedge.exe (PID: 5956)

    • Reads Environment values

      • ApowerMirror.exe (PID: 6796)
      • identity_helper.exe (PID: 4296)

    • Process checks Internet Explorer phishing filters

      • ApowerMirror.exe (PID: 6796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:28 08:54:50+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 1233920
InitializedDataSize: 773632
UninitializedDataSize: -
EntryPoint: 0xeb545
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1.1.6
ProductVersionNumber: 1.1.1.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Apowersoft
FileDescription: Apowersoft Installer
FileVersion: 1.1.1.6
InternalName: Apowersoft Installer.exe
LegalCopyright: Copyright (C) 2023 WANGXU TECHNOLOGY CO. Ltd.
OriginalFileName: Apowersoft Installer.exe
ProductName: Apowersoft Installer
ProductVersion: 1.1.1.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
211
Monitored processes
76
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start power.exe installer.exe installer.tmp cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs find.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs find.exe no specs taskkill.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs mdnsresponder.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT apowermirror.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs netstat.exe no specs conhost.exe no specs adb.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs power.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2300,i,15118011706718618280,15574840203955234252,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6112 --field-trial-handle=2300,i,15118011706718618280,15574840203955234252,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
420C:\WINDOWS\system32\cmd.exe /c tasklist | find "ApowerMirror.exe" C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
608"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2512 --field-trial-handle=2300,i,15118011706718618280,15574840203955234252,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://r.aoscdn.com/jumper?type=install&product_id=113&language=en&unique_id=39e30d720e18376278a9be61a436df98&apptype=saas-pro&appver=1.8.9.2&first_install_ts=1723049223&ts=1723049223&wxga=&ct=1723049060&mt=1723049060&h=53e8d1c8b51a16c183cf3c448d9669d4&hash=1d32323750f8bcff5151a0d4a18a0e8bC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exepower.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6480 --field-trial-handle=2300,i,15118011706718618280,15574840203955234252,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1664find "ApowerMirror.exe" C:\Windows\SysWOW64\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\find.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1748"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=2300,i,15118011706718618280,15574840203955234252,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2088C:\Windows\syswow64\MsiExec.exe -Embedding 8EE91B2C80CB4CE69B30C7D1A6763E90 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
82 678
Read events
82 163
Write events
483
Delete events
32

Modification events

(PID) Process:(6836) power.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6836) power.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6836) power.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6836) power.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3276) installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
CC0C000071B3733EE9E8DA01
(PID) Process:(3276) installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
E57DCDE2904550FB0F000E00F9A83BEC56139B011256526B98A70A35261E8C3B
(PID) Process:(3276) installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3276) installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files (x86)\Apowersoft\ApowerMirror\7z.dll
(PID) Process:(3276) installer.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
5CDEBB6DD1D9C1DFABAE2590AFE53E4888AAE2725AD0CFEE8DD59E124E272CF1
(PID) Process:(6644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
Executable files
239
Suspicious files
119
Text files
845
Unknown types
26

Dropped files

PID
Process
Filename
Type
6836power.exeC:\Users\admin\AppData\Local\Temp\installer.exe
MD5:
SHA256:
6260installer.exeC:\Users\admin\AppData\Local\Temp\is-44G8A.tmp\installer.tmpexecutable
MD5:08E1946ECF8670A3CEF6C2A28CF42380
SHA256:5AE057FF19D5AC5EB36FBA26CFACFF7AE5D2D2D1A3BE4F684B94ADED15FE6477
6836power.exeC:\Users\admin\AppData\Local\Temp\_gaid.txttext
MD5:9DC18482AAC42AA569F3AD9239F9B074
SHA256:3776917F85BF4564269E5149774CD44B7A804CDC6DA68ED8223CC9786EE1FFE7
3276installer.tmpC:\Users\admin\AppData\Local\Temp\is-P0GUF.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6836power.exeC:\Users\admin\AppData\Local\Temp\installer.exe.err.logtext
MD5:001867DE516905464263C1E83429FD64
SHA256:2AD4BEC2D90E36A245309D2A22308959F7D8C23FF42639451BA67D8F8CDCB4D5
3276installer.tmpC:\Users\admin\AppData\Local\Temp\is-P0GUF.tmp\KillProcessWithName.battext
MD5:12320B56FAD8A52D1FC409D7977637DB
SHA256:DAA5B50A7973DD0C49F0CD5F90C2351617146CDC0408E99CF7FCB219D0703299
3276installer.tmpC:\Program Files (x86)\Apowersoft\ApowerMirror\unins000.exeexecutable
MD5:08E1946ECF8670A3CEF6C2A28CF42380
SHA256:5AE057FF19D5AC5EB36FBA26CFACFF7AE5D2D2D1A3BE4F684B94ADED15FE6477
3276installer.tmpC:\Program Files (x86)\Apowersoft\ApowerMirror\is-TKLIO.tmpexecutable
MD5:08E1946ECF8670A3CEF6C2A28CF42380
SHA256:5AE057FF19D5AC5EB36FBA26CFACFF7AE5D2D2D1A3BE4F684B94ADED15FE6477
3276installer.tmpC:\Program Files (x86)\Apowersoft\ApowerMirror\is-RC4AF.tmpexecutable
MD5:653D9C59A7D6AE465BFB42E3D86453EF
SHA256:F7158DCC1B351CA7A2E2568DF56B9D2A119E6DB0645A437E7034E3360327C621
3276installer.tmpC:\Users\admin\AppData\Local\Temp\is-P0GUF.tmp\isxdl.dllexecutable
MD5:F7B445A6CB2064D7B459451E86CA6B0E
SHA256:BD03543C37FEB48432E166FE3898ABC2A7FE854B1113EE4D5D284633B4605377
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
166
DNS requests
108
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1360
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1360
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6836
power.exe
GET
200
47.244.67.191:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/webtrack/track?APIVersion=0.6.0&__topic__=win-launcher&unique_id=39e30d720e18376278a9be61a436df98&session_id=1723049064&app=ApowerMirror&appid=113&apptype=saas-pro&installer_version=1.1.1.6&is_old_user=-1&last_step_duration=1&os_available_memory=2699504000&os_culture=0409&os_dpi=100&os_fullname=Microsoft%20Windows%2010%20Pro&os_lang=en-US&os_resolution=1280x720&os_total_memory=4188620000&os_version=10.0.19045&step=1
unknown
unknown
6836
power.exe
GET
200
47.244.67.191:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/webtrack/track?APIVersion=0.6.0&__topic__=win-launcher&unique_id=39e30d720e18376278a9be61a436df98&session_id=1723049064&app=ApowerMirror&appid=113&ga_request=https%3A%2F%2Fdownload.aoscdn.com%2Fapi%2Fclient%2Finfo%3Fot%3D1%26mt%3D1723049060%26ct%3D1723049060%26cc%3D4%26tz%3DGMT%252B0000%26ov%3D10.0%26g%3DMicrosoft%2520Basic%2520Display%2520Adapter%26h%3D53e8d1c8b51a16c183cf3c448d9669d4&step=1
unknown
unknown
6836
power.exe
GET
200
47.244.67.191:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/webtrack/track?APIVersion=0.6.0&__topic__=win-launcher&unique_id=39e30d720e18376278a9be61a436df98&session_id=1723049064&app=ApowerMirror&appid=113&ga_error=&ga_ok=0&ga_response=%7B%22status%22%3A404%2C%22message%22%3A%22Not%20found%22%7D&gaid=&step=1
unknown
unknown
6836
power.exe
GET
200
47.244.67.191:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/webtrack/track?APIVersion=0.6.0&__topic__=win-launcher&unique_id=39e30d720e18376278a9be61a436df98&session_id=1723049064&app=ApowerMirror&app_install_path=C%3A%5CProgram%20Files%20%28x86%29%5CApowersoft%5CApowerMirror&app_lang=English&appid=113&apptype=saas-pro&last_step_duration=3&step=2
unknown
unknown
6440
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6836
power.exe
GET
302
47.243.121.132:80
http://download.aoscdn.com/down.php?softid=apowermirrorinstall-saas-pro
unknown
unknown
6836
power.exe
GET
404
163.181.92.228:80
http://cdn.aoscdn.com/img/contact-group/installer-113-qq.png?19942
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5588
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
2.23.209.140:443
www.bing.com
Akamai International B.V.
GB
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1360
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.141
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.148
  • 2.23.209.135
  • 2.23.209.150
  • 2.23.209.143
  • 2.23.209.156
  • 92.123.104.59
  • 92.123.104.31
  • 92.123.104.7
  • 92.123.104.32
  • 92.123.104.28
  • 92.123.104.60
  • 92.123.104.67
  • 92.123.104.52
  • 92.123.104.33
  • 92.123.104.40
  • 92.123.104.34
  • 92.123.104.21
  • 92.123.104.38
  • 92.123.104.19
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.72
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
whitelisted
wx-user-behavior.cn-hongkong.log.aliyuncs.com
  • 47.244.67.191
  • 47.244.67.196
  • 47.52.212.53
  • 47.244.67.192
  • 47.244.67.194
  • 47.90.119.19
  • 47.89.5.161
  • 47.244.67.195
  • 47.244.67.197
  • 47.244.67.193
unknown
download.aoscdn.com
  • 47.243.121.132
unknown
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
th.bing.com
  • 92.123.104.31
  • 92.123.104.33
  • 92.123.104.28
  • 92.123.104.34
  • 92.123.104.38
  • 92.123.104.19
  • 92.123.104.21
  • 92.123.104.32
  • 92.123.104.40
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
2256
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
608
msedge.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
608
msedge.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
608
msedge.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
6796
ApowerMirror.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6796
ApowerMirror.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6796
ApowerMirror.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6796
ApowerMirror.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6796
ApowerMirror.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
power.exe