Malware analysis PowerISO9-x64.exe Malicious activity

Add for printing

File name:	PowerISO9-x64.exe
Full analysis:	https://app.any.run/tasks/bcb2eef2-5a79-44b2-9625-697657711fac
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 25, 2025, 23:36:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	CF650F9B34B148062EBE6C22DF8E90F9
SHA1:	87627D462E33E56FC0B02794AFFA2E1025BCB147
SHA256:	FD71330EA4492A503D4E72FA00B9758B24ED6832614623F4E3EBF356389335EF
SSDEEP:	98304:KXyc5BeFXLGmji9YhUDbezbDd/J9K5tieuSXqM4u1mMZlG+moXt5yg3JZMhkG/1y:07soltWt5v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - PowerISO9-x64.exe (PID: 2136)
  - PowerISO.exe (PID: 8004)
- Changes the autorun value in the registry
  - PowerISO9-x64.exe (PID: 2136)
SUSPICIOUS
- Executable content was dropped or overwritten
  - PowerISO9-x64.exe (PID: 1628)
  - PowerISO9-x64.exe (PID: 2136)
  - setup64.exe (PID: 1184)
  - saBSI.exe (PID: 6728)
  - saBSI.exe (PID: 5776)
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
  - installer.exe (PID: 7232)
  - installer.exe (PID: 7928)
- The process creates files with name similar to system file names
  - PowerISO9-x64.exe (PID: 2136)
  - PowerISO9-x64.exe (PID: 1628)
- Malware-specific behavior (creating "System.dll" in Temp)
  - PowerISO9-x64.exe (PID: 2136)
  - PowerISO9-x64.exe (PID: 1628)
- There is functionality for taking screenshot (YARA)
  - PowerISO9-x64.exe (PID: 2136)
- Creates files in the driver directory
  - setup64.exe (PID: 1184)
- Drops a system driver (possible attempt to evade defenses)
  - setup64.exe (PID: 1184)
- Drops 7-zip archiver for unpacking
  - PowerISO9-x64.exe (PID: 2136)
- Reads security settings of Internet Explorer
  - PowerISO9-x64.exe (PID: 2136)
  - saBSI.exe (PID: 5776)
  - saBSI.exe (PID: 6728)
  - PowerISO.exe (PID: 8004)
- Creates a software uninstall entry
  - PowerISO9-x64.exe (PID: 2136)
- Creates or modifies Windows services
  - PowerISO9-x64.exe (PID: 2136)
- Adds/modifies Windows certificates
  - saBSI.exe (PID: 5776)
- The process verifies whether the antivirus software is installed
  - saBSI.exe (PID: 6728)
- Process requests binary or script from the Internet
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 864)
- Potential Corporate Privacy Violation
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
- Reads the date of Windows installation
  - PowerISO.exe (PID: 8004)
- Starts itself from another location
  - Instup.exe (PID: 7860)
INFO
- Create files in a temporary directory
  - PowerISO9-x64.exe (PID: 2136)
  - saBSI.exe (PID: 6728)
  - PowerISO.exe (PID: 8004)
  - PowerISO9-x64.exe (PID: 1628)
- Checks supported languages
  - PowerISO9-x64.exe (PID: 2136)
  - devcon.exe (PID: 2108)
  - setup64.exe (PID: 1184)
  - saBSI.exe (PID: 5776)
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
  - saBSI.exe (PID: 6728)
  - PWRISOVM.EXE (PID: 5156)
  - identity_helper.exe (PID: 3884)
  - PowerISO.exe (PID: 8004)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
  - PowerISO9-x64.exe (PID: 1628)
- The sample compiled with english language support
  - PowerISO9-x64.exe (PID: 2136)
  - setup64.exe (PID: 1184)
  - saBSI.exe (PID: 5776)
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
  - installer.exe (PID: 7232)
  - saBSI.exe (PID: 6728)
  - installer.exe (PID: 7928)
- Disables trace logs
  - PowerISO9-x64.exe (PID: 1628)
  - PowerISO9-x64.exe (PID: 2136)
- Reads the machine GUID from the registry
  - PowerISO9-x64.exe (PID: 1628)
  - PowerISO9-x64.exe (PID: 2136)
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
  - saBSI.exe (PID: 5776)
  - saBSI.exe (PID: 6728)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
- Reads the computer name
  - PowerISO9-x64.exe (PID: 1628)
  - PowerISO9-x64.exe (PID: 2136)
  - saBSI.exe (PID: 5776)
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
  - saBSI.exe (PID: 6728)
  - identity_helper.exe (PID: 3884)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - PowerISO.exe (PID: 8004)
  - Instup.exe (PID: 7860)
- Checks proxy server information
  - PowerISO9-x64.exe (PID: 2136)
  - PowerISO9-x64.exe (PID: 1628)
  - saBSI.exe (PID: 6728)
  - saBSI.exe (PID: 5776)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
  - PowerISO.exe (PID: 8004)
- Creates files in the program directory
  - PowerISO9-x64.exe (PID: 2136)
  - saBSI.exe (PID: 5776)
  - saBSI.exe (PID: 6728)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
- The sample compiled with chinese language support
  - PowerISO9-x64.exe (PID: 2136)
- Reads the software policy settings
  - PowerISO9-x64.exe (PID: 1628)
  - cookie_mmm_irs_ppi_005_888_d.exe (PID: 6656)
  - saBSI.exe (PID: 5776)
  - saBSI.exe (PID: 6728)
  - Instup.exe (PID: 7860)
  - PowerISO9-x64.exe (PID: 2136)
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
- Process checks computer location settings
  - PowerISO9-x64.exe (PID: 2136)
  - PowerISO.exe (PID: 8004)
- Application launched itself
  - msedge.exe (PID: 4608)
  - msedge.exe (PID: 2772)
- Manual execution by a user
  - msedge.exe (PID: 2772)
  - PowerISO.exe (PID: 8004)
  - PowerISO9-x64.exe (PID: 1628)
- Reads Environment values
  - identity_helper.exe (PID: 3884)
  - Instup.exe (PID: 7860)
- Reads CPU info
  - avast_free_antivirus_setup_online_x64.exe (PID: 7644)
  - Instup.exe (PID: 7860)
- Creates files or folders in the user directory
  - PowerISO.exe (PID: 8004)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:16 00:50:53+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x350d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	9.1.0.0
ProductVersionNumber:	9.1.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Power Software Ltd
FileDescription:	PowerISO 64-bit Installer
FileVersion:	9.1.0.0
LegalCopyright:	Copyright(c) Power Software Ltd
ProductName:	PowerISO 64-bit
ProductVersion:	9.1.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

188

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

864

/s "C:\Program Files\PowerISO\PWRISOSH.DLL"

C:\Windows\System32\regsvr32.exe

—

regsvr32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1184

"C:\Program Files\PowerISO\setup64.exe" cp C:\Users\admin\AppData\Local\Temp\nsdFD71.tmp "C:\WINDOWS\system32\Drivers\scdemu.sys"

C:\Program Files\PowerISO\setup64.exe

PowerISO9-x64.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\poweriso\setup64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1452

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6208 --field-trial-handle=2368,i,7051587218619339061,9060339226239221147,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1532

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2324 --field-trial-handle=2380,i,3541945995142287000,2121702874459476842,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1628

"C:\Users\admin\Desktop\PowerISO9-x64.exe"

C:\Users\admin\Desktop\PowerISO9-x64.exe

explorer.exe

User:

admin

Company:

Power Software Ltd

Integrity Level:

HIGH

Description:

PowerISO 64-bit Installer

Exit code:

Version:

9.1.0.0

Modules

Images
c:\users\admin\desktop\poweriso9-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2092

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2336 --field-trial-handle=2368,i,7051587218619339061,9060339226239221147,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2108

"C:\Program Files\PowerISO\devcon.exe" remove *scdbusDevice

C:\Program Files\PowerISO\devcon.exe

—

PowerISO9-x64.exe

User:

admin

Company:

Windows (R) Server 2003 DDK provider

Integrity Level:

HIGH

Description:

Windows Setup API

Exit code:

Version:

5.2.3790.1830 built by: WinDDK

Modules

Images
c:\program files\poweriso\devcon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2136

"C:\Users\admin\Desktop\PowerISO9-x64.exe"

C:\Users\admin\Desktop\PowerISO9-x64.exe

explorer.exe

User:

admin

Company:

Power Software Ltd

Integrity Level:

HIGH

Description:

PowerISO 64-bit Installer

Exit code:

Version:

9.1.0.0

Modules

Images
c:\users\admin\desktop\poweriso9-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2316

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"

C:\Windows\SysWOW64\regsvr32.exe

—

PowerISO9-x64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2772

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument http://www.poweriso.com/thankyou.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

31 015

Read events

29 064

Write events

1 932

Delete events

Modification events


(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PowerISO
Operation:	write	Name:	TbInstallFlag
Value: 0
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PowerISO
Operation:	write	Name:	TbInstallFlag2
Value: 0
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2136) PowerISO9-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PowerISO9-x64_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

205

Text files

641

Unknown types

Dropped files

PID	Process	Filename		Type
1628	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nscE14B.tmp		binary
		MD5:8B23AB5670AECA1BBC8A5B1CC0540CE2	SHA256:7D109E6F939F20FBFF8E2480963BDD1DA0671D081D005439E09C6F57D0ED72A5
2136	PowerISO9-x64.exe	C:\Program Files\PowerISO\devcon.exe		executable
		MD5:9D199564B65A91A531B23844649459E9	SHA256:8DC2490D1D650E3FFBF70922B81AE9800DDD29A644E4D7D29E9616E22A7D0F42
2136	PowerISO9-x64.exe	C:\Program Files\PowerISO\setup64.exe		executable
		MD5:477C9C7AA483ECDD45686858862D21F1	SHA256:83D53B78B54F6CCB825BD1409A9699DF11F8D45D2D27C06C4CFFA167DDA62E72
2136	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nsdFD71.tmp		executable
		MD5:92EAE8DEC1F992DB12AA23D9D55F264A	SHA256:D01A58E0A222E4D301B75AE80150D8CBC17F56B3F6458352D2C7C449BE302EEE
2136	PowerISO9-x64.exe	C:\Program Files\PowerISO\Lang\Korean.ini		text
		MD5:D636B4311FE65520768AB9601D00301E	SHA256:400CAE7EBCC1EB4706AB4F363DCF497300EAB448EA425897F4803E7BFE843F3F
2136	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nsxBCEB.tmp\System.dll		executable
		MD5:8CF2AC271D7679B1D68EEFC1AE0C5618	SHA256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
2136	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nsxBCEB.tmp\nsnBDE6.tmp		executable
		MD5:2BDF5A9D2007C879B665B9C631A9CEBB	SHA256:DD8C9F10E6115C70A774DD017B2D300108D7AB082D8475D6E3AD53A0DD45124C
1628	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nscE14C.tmp\System.dll		executable
		MD5:8CF2AC271D7679B1D68EEFC1AE0C5618	SHA256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
2136	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nsxBCEB.tmp\modern-header.bmp		image
		MD5:CA2542B0E66E48D7E3F361C8EEF8F720	SHA256:4566DFCC153CBA168A02EEBC5DDD9D82832CF463EBB8ECB4EC2F269F9F85AECA
1628	PowerISO9-x64.exe	C:\Users\admin\AppData\Local\Temp\nscE14C.tmp\nshE256.tmp		executable
		MD5:2BDF5A9D2007C879B665B9C631A9CEBB	SHA256:DD8C9F10E6115C70A774DD017B2D300108D7AB082D8475D6E3AD53A0DD45124C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

146

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.18.121.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	FR	binary	825 b	whitelisted
—	—	GET	200	2.18.121.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	FR	binary	825 b	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.20.154.94:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	ZA	binary	868 b	whitelisted
—	—	GET	200	2.20.154.94:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	ZA	binary	868 b	whitelisted
—	—	GET	200	2.20.154.94:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	ZA	binary	868 b	whitelisted
6656	cookie_mmm_irs_ppi_005_888_d.exe	POST	403	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	US	html	317 b	whitelisted
6656	cookie_mmm_irs_ppi_005_888_d.exe	POST	200	142.250.179.174:80	http://www.google-analytics.com/collect	US	image	35 b	whitelisted
7860	Instup.exe	GET	200	96.16.53.146:80	http://d3176133.iavs9x.u.avast.com/iavs9x/servers.def.vpx	NL	binary	2.39 Kb	whitelisted
7860	Instup.exe	GET	200	96.16.53.146:80	http://n2833777.iavs9x.u.avast.com/iavs9x/avdump_x64_ais-a67.vpx	NL	binary	951 Kb	whitelisted
7860	Instup.exe	GET	200	96.16.53.146:80	http://n2833777.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx	NL	binary	572 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	2.18.121.139:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
—	—	2.18.121.139:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
—	—	2.20.154.94:80	www.microsoft.com	Telkom-Internet	ZA	whitelisted
5496	MoUsoCoreWorker.exe	2.20.154.94:80	www.microsoft.com	Telkom-Internet	ZA	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2136	PowerISO9-x64.exe	3.167.226.171:443	d2v0zetgu6hotv.cloudfront.net	—	US	whitelisted
1628	PowerISO9-x64.exe	3.167.226.171:443	d2v0zetgu6hotv.cloudfront.net	—	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.251.39.110	whitelisted
crl.microsoft.com	2.18.121.139	whitelisted
www.microsoft.com	2.20.154.94	whitelisted
d2v0zetgu6hotv.cloudfront.net	3.167.226.171	whitelisted
d2szyrfwv98jnz.cloudfront.net	3.160.156.122	whitelisted
iavs9x.u.avast.com	96.16.53.146	whitelisted
www.google-analytics.com	142.250.179.174	whitelisted
v7event.stats.avast.com	34.117.223.223	whitelisted
analytics.apis.mcafee.com	44.239.60.154	unknown

Threats

PID	Process	Class	Message
6656	cookie_mmm_irs_ppi_005_888_d.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
2092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2092	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)

Add for printing

No debug info

General Info

PowerISO9-x64.exe

CF650F9B34B148062EBE6C22DF8E90F9

87627D462E33E56FC0B02794AFFA2E1025BCB147

FD71330EA4492A503D4E72FA00B9758B24ED6832614623F4E3EBF356389335EF

98304:KXyc5BeFXLGmji9YhUDbezbDd/J9K5tieuSXqM4u1mMZlG+moXt5yg3JZMhkG/1y:07soltWt5v

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

There is functionality for taking screenshot (YARA)

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

Drops 7-zip archiver for unpacking

Reads security settings of Internet Explorer

Creates a software uninstall entry

Creates or modifies Windows services

Adds/modifies Windows certificates

The process verifies whether the antivirus software is installed

Process requests binary or script from the Internet

Creates/Modifies COM task schedule object

Potential Corporate Privacy Violation

Reads the date of Windows installation

Starts itself from another location

INFO

Create files in a temporary directory

Checks supported languages

The sample compiled with english language support

Disables trace logs

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Creates files in the program directory

The sample compiled with chinese language support

Reads the software policy settings

Process checks computer location settings

Application launched itself

Manual execution by a user

Reads Environment values

Reads CPU info

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity