URL:

https://www.aomeitech.com/partners/biggest-christmas-carnival-giveaway-2358.html?x-clickref=1011lA5PVQeR&x-clickref=1011lA5Q2vzo&x-clickref=1100lzXAgAQy#backup-software

Full analysis: https://app.any.run/tasks/842b5d81-87aa-4a96-81a5-ac67f06fdea0
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: December 25, 2024, 01:30:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
floxif
backdoor
spyware
Indicators:
MD5:

C67AFFB207F4E58113EC3812BC93D9AE

SHA1:

030A8D79B5317748BCBE17F9AE4EC81A7375ABEA

SHA256:

65B6EE3E8DEEDFA77048545661A388F3FE819B48332552A8A21D6A4AA505A04F

SSDEEP:

3:N8DSL08HXE+uGFB5WhIGUE3cid5GWIeMMLNl0oNMGRLNa9GJMGRKVVRGn03HXm0/:2OL0yXE+uuWhx60GPeMMLNZNHRLNpRON

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • AmanId.exe (PID: 7476)

    • Registers / Runs the DLL via REGSVR32.EXE

      • OneKey28826.tmp (PID: 6764)

    • Executing a file with an untrusted certificate

      • vsscom.exe (PID: 1172)

    • Changes the autorun value in the registry

      • ABService.exe (PID: 7936)

    • FLOXIF has been detected (YARA)

      • Backupper.exe (PID: 6452)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7304)
      • OneKey28826.tmp (PID: 6764)
      • AmanId.exe (PID: 6720)
      • amanhlp.exe (PID: 8156)
      • ABLauncher.exe (PID: 6184)

    • Executable content was dropped or overwritten

      • OneKey28826.exe (PID: 6732)
      • LoadDrv.exe (PID: 8104)
      • OneKey28826.tmp (PID: 6764)

    • Process drops legitimate windows executable

      • OneKey28826.tmp (PID: 6764)

    • Reads the Windows owner or organization settings

      • OneKey28826.tmp (PID: 6764)

    • The process drops C-runtime libraries

      • OneKey28826.tmp (PID: 6764)

    • The process creates files with name similar to system file names

      • OneKey28826.tmp (PID: 6764)

    • Start notepad (likely ransomware note)

      • WinRAR.exe (PID: 7304)

    • Drops 7-zip archiver for unpacking

      • OneKey28826.tmp (PID: 6764)

    • Drops a system driver (possible attempt to evade defenses)

      • OneKey28826.tmp (PID: 6764)
      • LoadDrv.exe (PID: 8104)

    • Creates or modifies Windows services

      • LoadDrv.exe (PID: 8104)

    • Starts CMD.EXE for commands execution

      • OneKey28826.tmp (PID: 6764)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6572)

    • Searches for installed software

      • OneKey28826.tmp (PID: 6764)
      • ABLauncher.exe (PID: 6184)
      • Backupper.exe (PID: 6452)
      • AOMEIBackupperSetup.exe (PID: 5588)

    • Creates file in the systems drive root

      • ValidCheck.exe (PID: 6504)
      • AmanId.exe (PID: 6720)
      • Backupper.exe (PID: 6452)

    • Checks Windows Trust Settings

      • AmanId.exe (PID: 6720)
      • amanhlp.exe (PID: 8156)

    • Uses WMIC.EXE to obtain CPU information

      • ABService.exe (PID: 7936)
      • Backupper.exe (PID: 6452)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1020)
      • ABService.exe (PID: 7936)

    • There is functionality for taking screenshot (YARA)

      • Backupper.exe (PID: 6452)

    • Creates a software uninstall entry

      • Backupper.exe (PID: 6452)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 8140)
      • AOMEIBackupperSetup.exe (PID: 5588)
      • OneKey28826.tmp (PID: 6764)
      • OneKey28826.exe (PID: 6732)
      • Aman.exe (PID: 7448)
      • Aman.exe (PID: 3280)
      • AmanId.exe (PID: 7476)
      • Aman.exe (PID: 8148)
      • identity_helper.exe (PID: 7280)
      • AmanCpFile.exe (PID: 6096)
      • ABService.exe (PID: 7316)
      • ABService.exe (PID: 3540)
      • LoadDrv.exe (PID: 8104)
      • AmanId.exe (PID: 6720)
      • vsscom.exe (PID: 1172)
      • Aman.exe (PID: 6816)
      • ValidCheck.exe (PID: 6504)
      • Aman.exe (PID: 5548)
      • amanhlp.exe (PID: 8156)
      • ABLauncher.exe (PID: 6184)
      • Backupper.exe (PID: 6452)
      • ABService.exe (PID: 7936)
      • Aman.exe (PID: 7144)

    • Application launched itself

      • msedge.exe (PID: 5392)
      • msedge.exe (PID: 3876)

    • Reads Environment values

      • identity_helper.exe (PID: 8140)
      • OneKey28826.tmp (PID: 6764)
      • identity_helper.exe (PID: 7280)
      • ABService.exe (PID: 3540)
      • LoadDrv.exe (PID: 8104)
      • Aman.exe (PID: 5548)
      • Backupper.exe (PID: 6452)
      • ABService.exe (PID: 7936)
      • Aman.exe (PID: 7144)

    • Create files in a temporary directory

      • AOMEIBackupperSetup.exe (PID: 5588)
      • Aman.exe (PID: 3280)
      • AmanCpFile.exe (PID: 6096)
      • Aman.exe (PID: 8148)
      • Aman.exe (PID: 6816)
      • OneKey28826.exe (PID: 6732)
      • OneKey28826.tmp (PID: 6764)
      • Aman.exe (PID: 5548)
      • Aman.exe (PID: 7144)

    • The process uses the downloaded file

      • msedge.exe (PID: 7224)
      • msedge.exe (PID: 5392)
      • WinRAR.exe (PID: 7304)
      • OneKey28826.tmp (PID: 6764)
      • ABLauncher.exe (PID: 6184)

    • Reads the computer name

      • identity_helper.exe (PID: 8140)
      • AmanCpFile.exe (PID: 6096)
      • ABService.exe (PID: 7316)
      • ABService.exe (PID: 3540)
      • identity_helper.exe (PID: 7280)
      • vsscom.exe (PID: 1172)
      • LoadDrv.exe (PID: 8104)
      • AmanId.exe (PID: 6720)
      • OneKey28826.tmp (PID: 6764)
      • amanhlp.exe (PID: 8156)
      • ABLauncher.exe (PID: 6184)
      • Backupper.exe (PID: 6452)
      • ABService.exe (PID: 7936)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 5392)
      • WinRAR.exe (PID: 7304)

    • Creates files in the program directory

      • AOMEIBackupperSetup.exe (PID: 5588)
      • Aman.exe (PID: 7448)
      • OneKey28826.tmp (PID: 6764)
      • ABService.exe (PID: 7316)
      • ABService.exe (PID: 3540)
      • LoadDrv.exe (PID: 8104)
      • ValidCheck.exe (PID: 6504)
      • Aman.exe (PID: 5548)
      • Backupper.exe (PID: 6452)
      • ABService.exe (PID: 7936)

    • The sample compiled with russian language support

      • OneKey28826.tmp (PID: 6764)

    • The sample compiled with chinese language support

      • OneKey28826.tmp (PID: 6764)

    • Reads product name

      • OneKey28826.tmp (PID: 6764)
      • ABService.exe (PID: 3540)
      • Aman.exe (PID: 5548)
      • Backupper.exe (PID: 6452)
      • ABService.exe (PID: 7936)
      • Aman.exe (PID: 7144)

    • Process checks computer location settings

      • OneKey28826.tmp (PID: 6764)
      • ABLauncher.exe (PID: 6184)

    • The sample compiled with english language support

      • msedge.exe (PID: 2396)
      • OneKey28826.tmp (PID: 6764)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5964)
      • WMIC.exe (PID: 1804)
      • WMIC.exe (PID: 7944)
      • WMIC.exe (PID: 7996)
      • WMIC.exe (PID: 628)
      • WMIC.exe (PID: 7912)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 2396)

    • Creates a software uninstall entry

      • OneKey28826.tmp (PID: 6764)

    • Sends debugging messages

      • ABService.exe (PID: 3540)
      • LoadDrv.exe (PID: 8104)

    • Checks proxy server information

      • AmanId.exe (PID: 6720)
      • amanhlp.exe (PID: 8156)

    • Reads the machine GUID from the registry

      • AmanId.exe (PID: 6720)
      • amanhlp.exe (PID: 8156)
      • Backupper.exe (PID: 6452)

    • Reads the software policy settings

      • amanhlp.exe (PID: 8156)
      • AmanId.exe (PID: 6720)

    • Manual execution by a user

      • ABLauncher.exe (PID: 6184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
253
Monitored processes
119
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs aomeibackuppersetup.exe no specs aomeibackuppersetup.exe onekey28826.exe onekey28826.tmp msedge.exe no specs msedge.exe no specs aman.exe no specs amanid.exe aman.exe no specs amancpfile.exe no specs conhost.exe no specs aman.exe no specs notepad.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs abservice.exe no specs conhost.exe no specs abservice.exe conhost.exe no specs loaddrv.exe vsscom.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs amanid.exe regsvr32.exe no specs aman.exe no specs validcheck.exe no specs aman.exe no specs amanhlp.exe conhost.exe no specs ablauncher.exe no specs backupper.exe no specs #FLOXIF backupper.exe abservice.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs vssvc.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs wmic.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs aman.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=1516,i,11795303829190761450,15475584936120063106,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
628wmic cpu get processoridC:\Windows\SysWOW64\wbem\WMIC.exeABService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
648"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5100 --field-trial-handle=1516,i,11795303829190761450,15475584936120063106,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6644 --field-trial-handle=2376,i,17590710921436902308,12962921552008517545,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
1144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2376,i,17590710921436902308,12962921552008517545,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5388 --field-trial-handle=2376,i,17590710921436902308,12962921552008517545,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172vsscom.exe /regserverC:\Program Files (x86)\AOMEI\AOMEI Backupper\7.4.1\vsscom.exeLoadDrv.exe
User:
admin
Company:
AOMEI Technology Co., Ltd.
Integrity Level:
HIGH
Description:
AOMEI Volume Shadow Copy Complement
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\aomei\aomei backupper\7.4.1\vsscom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4764 --field-trial-handle=1516,i,11795303829190761450,15475584936120063106,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
15 746
Read events
15 629
Write events
106
Delete events
11

Modification events

(PID) Process:(5392) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
66102F75A4882F00
(PID) Process:(5392) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
25083A75A4882F00
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394010
Operation:writeName:WindowTabManagerFileMappingId
Value:
{CD088F13-4A0A-48AB-BE45-26B7038F1A1A}
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394010
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7A61E325-37BC-466A-A4E5-D6FC216C8B0A}
(PID) Process:(5392) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394010
Operation:writeName:WindowTabManagerFileMappingId
Value:
{AE3E78BB-9B53-475C-BD32-11EE6599B119}
(PID) Process:(5392) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
12A07B75A4882F00
Executable files
628
Suspicious files
678
Text files
1 000
Unknown types
7

Dropped files

PID
Process
Filename
Type
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135278.TMP
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135288.TMP
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135288.TMP
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135288.TMP
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135288.TMP
MD5:
SHA256:
5392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
122
DNS requests
106
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6940
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7888
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8152
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735342995&P2=404&P3=2&P4=QJyOLRA%2fTqdE5Cn%2f32Y4KynhVkhAuamiF%2bMqI5R%2fSB%2bUEvYXm8N9q7khK2UpprStKs8RMiN91L3z0f1DqPmMqQ%3d%3d
unknown
whitelisted
7888
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8152
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735342995&P2=404&P3=2&P4=QJyOLRA%2fTqdE5Cn%2f32Y4KynhVkhAuamiF%2bMqI5R%2fSB%2bUEvYXm8N9q7khK2UpprStKs8RMiN91L3z0f1DqPmMqQ%3d%3d
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
8152
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735342995&P2=404&P3=2&P4=QJyOLRA%2fTqdE5Cn%2f32Y4KynhVkhAuamiF%2bMqI5R%2fSB%2bUEvYXm8N9q7khK2UpprStKs8RMiN91L3z0f1DqPmMqQ%3d%3d
unknown
whitelisted
8152
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735342995&P2=404&P3=2&P4=QJyOLRA%2fTqdE5Cn%2f32Y4KynhVkhAuamiF%2bMqI5R%2fSB%2bUEvYXm8N9q7khK2UpprStKs8RMiN91L3z0f1DqPmMqQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1684
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5392
msedge.exe
239.255.255.250:1900
whitelisted
6364
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6364
msedge.exe
104.26.10.118:443
www.aomeitech.com
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.aomeitech.com
  • 104.26.10.118
  • 172.67.71.27
  • 104.26.11.118
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
bzib.nelreports.net
  • 23.48.23.26
  • 23.48.23.51
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
Process
Message
ABService.exe
[2024-12-25 01:33:29] [0 ]UiRecord.cpp(545): CUiRecord:C:\ProgramData\AomeiBR\tasks2.2.xml
ABService.exe
[2024-12-25 01:33:29] [2 ]UiRecord.cpp(715): Failed to repair task.xml
LoadDrv.exe
OpenService() Faild !
LoadDrv.exe
OpenSCManager() ok !
LoadDrv.exe
============Enter UnloadDriver:============
LoadDrv.exe
ammntdrv
LoadDrv.exe
============Leave UnloadDriver============
LoadDrv.exe
ammntdrv
LoadDrv.exe
amwrtdrv
LoadDrv.exe
OpenSCManager() ok !
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.aomeitech.com/partners/biggest-christmas-carnival-giveaway-2358.html?x-clickref=1011lA5PVQeR&x-clickref=1011lA5Q2vzo&x-clickref=1100lzXAgAQy#backup-software