c5c249e6654e69397786271dfda6b770bbd444a82e1de83fbf11bc1c418eeb12

Analysis

max time kernel
61s
max time network
75s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-01-2023 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

90.9MB
MD5

9c7401301be2071690afd1d56ba21b11
SHA1

5c2911deea7a166fd0d5f7e264f5ea51f8e25a66
SHA256

c5c249e6654e69397786271dfda6b770bbd444a82e1de83fbf11bc1c418eeb12
SHA512

a47f233f0412def9d0beb73b5f6f95708482c20b7c8b6e8f1c8d36183a292bb4c297ef7f2d6befd69ac18e5144819ca01681bdef3546980877c5b92fa862dee6
SSDEEP

1572864:iF9CQ4CEmFZJG8bgXfG4NdxJNtpLzwHvMtxb5h+i6mgVCRG:iTDd7GVfT5JN3LSUtxdp6mu

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1956	msiexec.exe
5	1956	msiexec.exe
7	1956	msiexec.exe
9	1956	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1216	Setup.tmp
1876	mDNSResponder.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1252	netsh.exe
1304	netsh.exe
2012	netsh.exe

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe

Loads dropped DLL 15 IoCs

pid	Process
1820	Setup.exe
1216	Setup.tmp
1052	MsiExec.exe
1052	MsiExec.exe
1052	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1472	MsiExec.exe
1988	MsiExec.exe
1936	MsiExec.exe
464	Process not Found
1216	Setup.tmp
1216	Setup.tmp
1216	Setup.tmp
1216	Setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-OBICC.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-TNSPL.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\BleTutoralHelp\img\is-LUJ1H.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\android\is-2EG4D.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\OPPO_files-de\is-6J789.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\MI_files\is-HCRB9.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\SamSung_files\is-DLLM3.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\OPPO_files-de\is-6VTG2.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-LM30S.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\android\is-060S7.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\BleTutoralHelp\img\is-MR9EK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-HK1J6.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-HFHKR.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\MI_files\is-UO951.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-BS250.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-ID7R7.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-NEFIL.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\HUAWEI_files\is-6OES1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\VIVO-SUB_files\is-CEJOF.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\SamSung_files\is-0AMI4.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\libairplay.dll	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\pthreadVC2.dll	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\WXTcpMedia.dll	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-R2CQA.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\css\is-CKL3C.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-UVL7M.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\msvcr120.dll	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-V1B60.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\BleTutoralHelp\img\is-8VV9H.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\ios-app\is-S68RA.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\tv\is-APQPB.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\OnePlus_files-es\is-084EP.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\libffmpeg.dll	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-ET17B.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\SamSung_files-es\is-45F01.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\Apowersoft.LibChromecastWrapper.dll	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-GCNE8.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-FAJFE.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\ios\is-596AV.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\ios-app\is-HNLVA.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-CQLIU.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\Blink.dll	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-3ASAL.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-HDQR8.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-PPGR0.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\VIVO_files\is-8PRJL.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-3KVU0.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-1FVH7.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\is-JTFR0.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\css\is-D1JLR.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\ios-app\is-2SF3T.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\ios-app\is-G0BUK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\GuideHelp\img\ios\is-QVE6P.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\HUAWEI_files\is-7PATE.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Lang\is-SP668.tmp	Setup.tmp
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-CMBBG.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-UFFMN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\is-7D277.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\MEIZU_files-es\is-GSFLJ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Help\UsbDebug\VIVO_files\is-5I278.tmp	Setup.tmp
File created	C:\Program Files (x86)\Apowersoft\ApowerMirror\Lang\is-M1ELC.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\zxing.dll	Setup.tmp
File opened for modification	C:\Program Files (x86)\Apowersoft\ApowerMirror\SharpVectors.Core.dll	Setup.tmp

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID2B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEC0.tmp	msiexec.exe
File created	C:\Windows\Installer\6cc600.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID643.tmp	msiexec.exe
File created	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc600.ipi	msiexec.exe
File created	C:\Windows\Installer\6cc5fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7CB.tmp	msiexec.exe
File created	C:\Windows\Installer\6cc603.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc5fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID596.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE52.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1536	tasklist.exe
1700	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
772	taskkill.exe
1168	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\ApowerMirror.exe = "11001"	Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\ApowerMirror.exe = "11001"	Setup.tmp

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\ = "Apple Bonjour Library 1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ = "IDNSSDService"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ = "_IDNSSDEvents"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord.1\ = "TXTRecord Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID\ = "Bonjour.DNSSDEventManager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Bonjour.DLL\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Bonjour\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1523EA646D34FC14C8FD9E203C58611D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}	msiexec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1216	Setup.tmp
1216	Setup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	1536	tasklist.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeShutdownPrivilege	540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	540	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	1956	msiexec.exe
Token: SeCreateTokenPrivilege	540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	540	msiexec.exe
Token: SeLockMemoryPrivilege	540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	540	msiexec.exe
Token: SeMachineAccountPrivilege	540	msiexec.exe
Token: SeTcbPrivilege	540	msiexec.exe
Token: SeSecurityPrivilege	540	msiexec.exe
Token: SeTakeOwnershipPrivilege	540	msiexec.exe
Token: SeLoadDriverPrivilege	540	msiexec.exe
Token: SeSystemProfilePrivilege	540	msiexec.exe
Token: SeSystemtimePrivilege	540	msiexec.exe
Token: SeProfSingleProcessPrivilege	540	msiexec.exe
Token: SeIncBasePriorityPrivilege	540	msiexec.exe
Token: SeCreatePagefilePrivilege	540	msiexec.exe
Token: SeCreatePermanentPrivilege	540	msiexec.exe
Token: SeBackupPrivilege	540	msiexec.exe
Token: SeRestorePrivilege	540	msiexec.exe
Token: SeShutdownPrivilege	540	msiexec.exe
Token: SeDebugPrivilege	540	msiexec.exe
Token: SeAuditPrivilege	540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	540	msiexec.exe
Token: SeChangeNotifyPrivilege	540	msiexec.exe
Token: SeRemoteShutdownPrivilege	540	msiexec.exe
Token: SeUndockPrivilege	540	msiexec.exe
Token: SeSyncAgentPrivilege	540	msiexec.exe
Token: SeEnableDelegationPrivilege	540	msiexec.exe
Token: SeManageVolumePrivilege	540	msiexec.exe
Token: SeImpersonatePrivilege	540	msiexec.exe
Token: SeCreateGlobalPrivilege	540	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1216	Setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1820 wrote to memory of 1216	1820	Setup.exe	28
PID 1216 wrote to memory of 704	1216	Setup.tmp	29
PID 1216 wrote to memory of 704	1216	Setup.tmp	29
PID 1216 wrote to memory of 704	1216	Setup.tmp	29
PID 1216 wrote to memory of 704	1216	Setup.tmp	29
PID 704 wrote to memory of 636	704	cmd.exe	31
PID 704 wrote to memory of 636	704	cmd.exe	31
PID 704 wrote to memory of 636	704	cmd.exe	31
PID 704 wrote to memory of 636	704	cmd.exe	31
PID 636 wrote to memory of 1700	636	cmd.exe	32
PID 636 wrote to memory of 1700	636	cmd.exe	32
PID 636 wrote to memory of 1700	636	cmd.exe	32
PID 636 wrote to memory of 1700	636	cmd.exe	32
PID 636 wrote to memory of 292	636	cmd.exe	33
PID 636 wrote to memory of 292	636	cmd.exe	33
PID 636 wrote to memory of 292	636	cmd.exe	33
PID 636 wrote to memory of 292	636	cmd.exe	33
PID 1216 wrote to memory of 772	1216	Setup.tmp	35
PID 1216 wrote to memory of 772	1216	Setup.tmp	35
PID 1216 wrote to memory of 772	1216	Setup.tmp	35
PID 1216 wrote to memory of 772	1216	Setup.tmp	35
PID 1216 wrote to memory of 1708	1216	Setup.tmp	37
PID 1216 wrote to memory of 1708	1216	Setup.tmp	37
PID 1216 wrote to memory of 1708	1216	Setup.tmp	37
PID 1216 wrote to memory of 1708	1216	Setup.tmp	37
PID 1708 wrote to memory of 1688	1708	cmd.exe	39
PID 1708 wrote to memory of 1688	1708	cmd.exe	39
PID 1708 wrote to memory of 1688	1708	cmd.exe	39
PID 1708 wrote to memory of 1688	1708	cmd.exe	39
PID 1688 wrote to memory of 1536	1688	cmd.exe	40
PID 1688 wrote to memory of 1536	1688	cmd.exe	40
PID 1688 wrote to memory of 1536	1688	cmd.exe	40
PID 1688 wrote to memory of 1536	1688	cmd.exe	40
PID 1688 wrote to memory of 1964	1688	cmd.exe	41
PID 1688 wrote to memory of 1964	1688	cmd.exe	41
PID 1688 wrote to memory of 1964	1688	cmd.exe	41
PID 1688 wrote to memory of 1964	1688	cmd.exe	41
PID 1216 wrote to memory of 1168	1216	Setup.tmp	42
PID 1216 wrote to memory of 1168	1216	Setup.tmp	42
PID 1216 wrote to memory of 1168	1216	Setup.tmp	42
PID 1216 wrote to memory of 1168	1216	Setup.tmp	42
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1216 wrote to memory of 540	1216	Setup.tmp	44
PID 1956 wrote to memory of 1052	1956	msiexec.exe	46
PID 1956 wrote to memory of 1052	1956	msiexec.exe	46
PID 1956 wrote to memory of 1052	1956	msiexec.exe	46
PID 1956 wrote to memory of 1052	1956	msiexec.exe	46
PID 1956 wrote to memory of 1052	1956	msiexec.exe	46
PID 1956 wrote to memory of 1976	1956	msiexec.exe	47
PID 1956 wrote to memory of 1976	1956	msiexec.exe	47
PID 1956 wrote to memory of 1976	1956	msiexec.exe	47
PID 1956 wrote to memory of 1976	1956	msiexec.exe	47
PID 1956 wrote to memory of 1976	1956	msiexec.exe	47

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\is-9GHH6.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9GHH6.tmp\Setup.tmp" /SL5="$80022,94366084,912896,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-HJENH.tmp\KillProcessWithName.bat" "ApowerMirror.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist | find "ApowerMirror.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\SysWOW64\find.exe
        
        find "ApowerMirror.exe"
        5⤵
        
        PID:292
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /t /im "ApowersoftAndroidDaemon.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-HJENH.tmp\KillProcessWithName.bat" "ApowerMirror.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist | find "ApowerMirror.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\SysWOW64\find.exe
        
        find "ApowerMirror.exe"
        5⤵
        
        PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /t /im "ApowersoftAndroidDaemon.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec.exe" /i "C:\Program Files (x86)\Apowersoft\ApowerMirror\Bonjour64.msi" /quiet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="ApowerMirror" program="C:\Program Files (x86)\Apowersoft\ApowerMirror\ApowerMirror.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1252
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="ApowerMirror" dir=in action=allow program="C:\Program Files (x86)\Apowersoft\ApowerMirror\ApowerMirror.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1304
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="ApowerMirror" dir=out action=allow program="C:\Program Files (x86)\Apowersoft\ApowerMirror\ApowerMirror.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 32D91B46B2C0C171E93485FC471CA874
  2⤵
  - Loads dropped DLL
  PID:1052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 22BFD43312D02EAD315ED0B27DDD0BDC
  2⤵
  - Loads dropped DLL
  PID:1976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB8124ABDB29F4297549428E20C4CF5E M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1472
- C:\Windows\system32\MsiExec.exe
  "C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:1988
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:1936

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Apowersoft\ApowerMirror\Bonjour64.msi

Filesize
2.6MB

MD5
86e2b390629665fbc20e06dfbf01a48f

SHA1
d9f4697a6f4eceea24735822cb1df501268ca0b0

SHA256
46e31e284da64d6c2d366352b8a8abcf7db28d3e2a870d8fcf15c4a6fe0a6dd1

SHA512
05ecd3be5779f39db09329dda4dce0e3c49ac5d3950e92833031622b53542dadbe9e2948df35faeb4c41dbc8e01992935087c4a2975c797bd008ae177f7c3fea

Download Submit
C:\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
119KB

MD5
f6d02735de16705c1ebe6429592cd355

SHA1
c6ee693de2c01cad34012471b70d87869969a0cb

SHA256
356c49c5e1328fb181c295a84292471c566e11099e46d7a34c017931863d86a4

SHA512
1e37adcdcb399f1d9f84599dcd4254b7da342f6d52f6af7faf51fe618c96fbb3754813e97cf7c5ec224dac58d341658d8422dcd8bb26549bbf4952251353cd13

Download Submit
C:\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
b5c2f92ee1106dfe7bb1cce4d35b6037

SHA1
31070ef84c5355b082873ffc19ff60659637995f

SHA256
e399c390687589194d8aad385055f0cfa7d52ad9e837d8ff95008b8eb2b34e50

SHA512
7f82752b271ee35bad31a8571ae33b8cc83ef48f41937297dfc446f6f9b12da3d8b8336a527f6bbc5bc3c6627deadbd38a5f109b16c7d1386a3db36742c5a9c7

Download Submit
C:\Program Files\Bonjour\mdnsNSP.dll

Filesize
130KB

MD5
eaaa2b83c4764fdcfbee4a4d6546de92

SHA1
961a7e7735ee8f07ca54fa7cbfb23399748f8174

SHA256
043779b2c684699c89d6e8363d65baa9f31dff17d250059b56a8e3ae48c89b5b

SHA512
bc569de847db42bc2b1bc0a6ee0a792269b1d7dccffc8a5f0f6130495cabb8accb5ee312a0c749ccc13c395e4969a1a5738132ebb41cfebfaaf41126ac9737d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9GHH6.tmp\Setup.tmp

Filesize
2.6MB

MD5
78712327252bed02dc38b9c4e8d481b0

SHA1
ec0c9a896be8d64a7d811af87ed99f5f1f9673d0

SHA256
3dc8b95786c242e788351920020f2a3e4b0dc9297a60a82e9c9e0ea3c93ca854

SHA512
092bafc81294ac3dab561217adfe2bf5c6bbcf5960fded86530406a9a9a410ff81198b3d65a5c83a83665c9ff07a09fa082db3ca087609e2e6e571b25d3283f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9GHH6.tmp\Setup.tmp

Filesize
2.6MB

MD5
78712327252bed02dc38b9c4e8d481b0

SHA1
ec0c9a896be8d64a7d811af87ed99f5f1f9673d0

SHA256
3dc8b95786c242e788351920020f2a3e4b0dc9297a60a82e9c9e0ea3c93ca854

SHA512
092bafc81294ac3dab561217adfe2bf5c6bbcf5960fded86530406a9a9a410ff81198b3d65a5c83a83665c9ff07a09fa082db3ca087609e2e6e571b25d3283f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HJENH.tmp\KillProcessWithName.bat

Filesize
155B

MD5
12320b56fad8a52d1fc409d7977637db

SHA1
dee01db8bac192d111d16d3d4505e2464bc6746c

SHA256
daa5b50a7973dd0c49f0cd5f90c2351617146cdc0408e99cf7fcb219d0703299

SHA512
6760d9257eefd8568fbd640a99ed24f4e91b91f6f323ffc7103008084ffeb33e869daf265d74670d62723de771410f5e68d3b9accdef35829068ee0a0fe8e48b

Download Submit
C:\Windows\Installer\MSICE52.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
C:\Windows\Installer\MSICEC0.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
C:\Windows\Installer\MSID2B8.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
C:\Windows\Installer\MSID596.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSID643.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\MSID7CB.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
\Program Files (x86)\Apowersoft\ApowerMirror\ApowerMirror.exe

Filesize
7.0MB

MD5
1ad62b5cae2e8db947840c2fb38dcfed

SHA1
1521d9d80f616d374d69c582d7dc80f6c10dd7c7

SHA256
74a5dc3c4a7a2c90aac283c428564f23d1d7c73e232ab981e785af4d41622505

SHA512
2e0af291c3bb0cb4ff5d490e6fc674b416d6f114762bf5ebef4545a8ebefb0f9eafe82023f05fae6ca5f0a7e37fe7fe57fffd633d662d66ee0451cf042711451

Download Submit
\Program Files (x86)\Apowersoft\ApowerMirror\ApowerMirror.exe

Filesize
7.0MB

MD5
1ad62b5cae2e8db947840c2fb38dcfed

SHA1
1521d9d80f616d374d69c582d7dc80f6c10dd7c7

SHA256
74a5dc3c4a7a2c90aac283c428564f23d1d7c73e232ab981e785af4d41622505

SHA512
2e0af291c3bb0cb4ff5d490e6fc674b416d6f114762bf5ebef4545a8ebefb0f9eafe82023f05fae6ca5f0a7e37fe7fe57fffd633d662d66ee0451cf042711451

Download Submit
\Program Files (x86)\Apowersoft\ApowerMirror\unins000.exe

Filesize
2.6MB

MD5
78712327252bed02dc38b9c4e8d481b0

SHA1
ec0c9a896be8d64a7d811af87ed99f5f1f9673d0

SHA256
3dc8b95786c242e788351920020f2a3e4b0dc9297a60a82e9c9e0ea3c93ca854

SHA512
092bafc81294ac3dab561217adfe2bf5c6bbcf5960fded86530406a9a9a410ff81198b3d65a5c83a83665c9ff07a09fa082db3ca087609e2e6e571b25d3283f7

Download Submit
\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
119KB

MD5
f6d02735de16705c1ebe6429592cd355

SHA1
c6ee693de2c01cad34012471b70d87869969a0cb

SHA256
356c49c5e1328fb181c295a84292471c566e11099e46d7a34c017931863d86a4

SHA512
1e37adcdcb399f1d9f84599dcd4254b7da342f6d52f6af7faf51fe618c96fbb3754813e97cf7c5ec224dac58d341658d8422dcd8bb26549bbf4952251353cd13

Download Submit
\Program Files (x86)\Bonjour\mdnsNSP.dll

Filesize
119KB

MD5
f6d02735de16705c1ebe6429592cd355

SHA1
c6ee693de2c01cad34012471b70d87869969a0cb

SHA256
356c49c5e1328fb181c295a84292471c566e11099e46d7a34c017931863d86a4

SHA512
1e37adcdcb399f1d9f84599dcd4254b7da342f6d52f6af7faf51fe618c96fbb3754813e97cf7c5ec224dac58d341658d8422dcd8bb26549bbf4952251353cd13

Download Submit
\Program Files\Bonjour\mDNSResponder.exe

Filesize
451KB

MD5
b5c2f92ee1106dfe7bb1cce4d35b6037

SHA1
31070ef84c5355b082873ffc19ff60659637995f

SHA256
e399c390687589194d8aad385055f0cfa7d52ad9e837d8ff95008b8eb2b34e50

SHA512
7f82752b271ee35bad31a8571ae33b8cc83ef48f41937297dfc446f6f9b12da3d8b8336a527f6bbc5bc3c6627deadbd38a5f109b16c7d1386a3db36742c5a9c7

Download Submit
\Program Files\Bonjour\mdnsNSP.dll

Filesize
130KB

MD5
eaaa2b83c4764fdcfbee4a4d6546de92

SHA1
961a7e7735ee8f07ca54fa7cbfb23399748f8174

SHA256
043779b2c684699c89d6e8363d65baa9f31dff17d250059b56a8e3ae48c89b5b

SHA512
bc569de847db42bc2b1bc0a6ee0a792269b1d7dccffc8a5f0f6130495cabb8accb5ee312a0c749ccc13c395e4969a1a5738132ebb41cfebfaaf41126ac9737d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9GHH6.tmp\Setup.tmp

Filesize
2.6MB

MD5
78712327252bed02dc38b9c4e8d481b0

SHA1
ec0c9a896be8d64a7d811af87ed99f5f1f9673d0

SHA256
3dc8b95786c242e788351920020f2a3e4b0dc9297a60a82e9c9e0ea3c93ca854

SHA512
092bafc81294ac3dab561217adfe2bf5c6bbcf5960fded86530406a9a9a410ff81198b3d65a5c83a83665c9ff07a09fa082db3ca087609e2e6e571b25d3283f7

Download Submit
\Users\Admin\AppData\Local\Temp\is-HJENH.tmp\isxdl.dll

Filesize
130KB

MD5
f7b445a6cb2064d7b459451e86ca6b0e

SHA1
b05b74a1988c10df8c73eb9ca1a41af2a49647b7

SHA256
bd03543c37feb48432e166fe3898abc2a7fe854b1113ee4d5d284633b4605377

SHA512
9cf6d791132660d5246f55d25018ad0cf2791de9f6032531b9aca9a6c84396b8aeca7a9c0410f835637659f396817d8ba40f45d3b80c7907cccbe275a345a465

Download Submit
\Windows\Installer\MSICE52.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
\Windows\Installer\MSICEC0.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
\Windows\Installer\MSID2B8.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
\Windows\Installer\MSID596.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
\Windows\Installer\MSID643.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
\Windows\Installer\MSID7CB.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
memory/1216-75-0x00000000744E1000-0x00000000744E3000-memory.dmp

Filesize
8KB

Download
memory/1820-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1820-63-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1820-57-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1820-55-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1820-119-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1956-80-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download