URL:

https://download.aoscdn.com/backgrounderaser-setup-chn-filehorse.exe

Full analysis: https://app.any.run/tasks/e0ebbc57-d036-4a4b-b7c3-815430838a09
Verdict: Malicious activity
Analysis date: May 26, 2024, 16:29:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C5923C19ED61A33C1A8C4AB74D0E2A1C

SHA1:

481A9C572BC4B152CB42DA8CE8AD2038E701B7DF

SHA256:

6D13DA90F191261B15A815E98227730141116B81CA370516753D479E54232FFC

SSDEEP:

3:N8SEl32cvtXLM/bWV7zANeAC:2SK4mwNeAC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • installer.exe (PID: 1640)
      • installer.tmp (PID: 2240)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)

    • Reads the Internet Settings

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • Apowersoft background eraser.exe (PID: 2924)

    • Executable content was dropped or overwritten

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • installer.exe (PID: 1640)
      • installer.tmp (PID: 2240)

    • Reads the Windows owner or organization settings

      • installer.tmp (PID: 2240)

    • The process drops C-runtime libraries

      • installer.tmp (PID: 2240)

    • Changes Internet Explorer settings (feature browser emulation)

      • installer.tmp (PID: 2240)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • installer.tmp (PID: 2240)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • installer.tmp (PID: 2240)

    • Process drops legitimate windows executable

      • installer.tmp (PID: 2240)

    • Reads settings of System Certificates

      • Apowersoft background eraser.exe (PID: 2924)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3984)
      • msedge.exe (PID: 2664)
      • msedge.exe (PID: 2648)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3984)

    • Checks supported languages

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • wmpnscfg.exe (PID: 1932)
      • installer.exe (PID: 1640)
      • installer.tmp (PID: 2240)
      • Apowersoft background eraser.exe (PID: 2924)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 4044)
      • iexplore.exe (PID: 3984)

    • Create files in a temporary directory

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • installer.exe (PID: 1640)
      • installer.tmp (PID: 2240)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3984)
      • iexplore.exe (PID: 4044)

    • Reads the computer name

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • wmpnscfg.exe (PID: 1932)
      • installer.tmp (PID: 2240)
      • Apowersoft background eraser.exe (PID: 2924)

    • Reads the machine GUID from the registry

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • Apowersoft background eraser.exe (PID: 2924)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3984)

    • Creates files in the program directory

      • backgrounderaser-setup-chn-filehorse.exe (PID: 1060)
      • installer.tmp (PID: 2240)
      • Apowersoft background eraser.exe (PID: 2924)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1932)
      • msedge.exe (PID: 2664)
      • Apowersoft background eraser.exe (PID: 2924)

    • Creates files or folders in the user directory

      • installer.tmp (PID: 2240)
      • Apowersoft background eraser.exe (PID: 2924)

    • Creates a software uninstall entry

      • installer.tmp (PID: 2240)

    • Process checks computer location settings

      • Apowersoft background eraser.exe (PID: 2924)

    • Reads Environment values

      • Apowersoft background eraser.exe (PID: 2924)

    • Reads the software policy settings

      • Apowersoft background eraser.exe (PID: 2924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
25
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe backgrounderaser-setup-chn-filehorse.exe no specs backgrounderaser-setup-chn-filehorse.exe wmpnscfg.exe no specs installer.exe installer.tmp netsh.exe no specs netsh.exe no specs netsh.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs apowersoft background eraser.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\backgrounderaser-setup-chn-filehorse.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\backgrounderaser-setup-chn-filehorse.exeiexplore.exe
User:
admin
Company:
Apowersoft
Integrity Level:
MEDIUM
Description:
Apowersoft Installer
Exit code:
3221226540
Version:
1.1.0.8
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\backgrounderaser-setup-chn-filehorse.exe
c:\windows\system32\ntdll.dll
916"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1268 --field-trial-handle=1284,i,3556221239022940588,8251363738486486770,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1060"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\backgrounderaser-setup-chn-filehorse.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\backgrounderaser-setup-chn-filehorse.exe
iexplore.exe
User:
admin
Company:
Apowersoft
Integrity Level:
HIGH
Description:
Apowersoft Installer
Exit code:
0
Version:
1.1.0.8
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\backgrounderaser-setup-chn-filehorse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1468"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6e57f598,0x6e57f5a8,0x6e57f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1640"C:\Users\admin\AppData\Local\Temp\installer.exe" /VERYSILENT /SUPPRESSMSGBOXES /FORCECLOSEAPPLICATIONS /DIR="C:\Program Files\Apowersoft\Apowersoft Background Eraser" /LANG=EnglishC:\Users\admin\AppData\Local\Temp\installer.exe
backgrounderaser-setup-chn-filehorse.exe
User:
admin
Company:
Wangxu Technology Co.,Ltd.
Integrity Level:
HIGH
Description:
Apowersoft background eraser Setup
Exit code:
0
Version:
2.3.28
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1932"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2172"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Apowersoft background eraser" program="C:\Program Files\Apowersoft\Apowersoft Background Eraser\Apowersoft background eraser.exe"C:\Windows\System32\netsh.exeinstaller.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2240"C:\Users\admin\AppData\Local\Temp\is-6THUL.tmp\installer.tmp" /SL5="$30138,22836803,749056,C:\Users\admin\AppData\Local\Temp\installer.exe" /VERYSILENT /SUPPRESSMSGBOXES /FORCECLOSEAPPLICATIONS /DIR="C:\Program Files\Apowersoft\Apowersoft Background Eraser" /LANG=EnglishC:\Users\admin\AppData\Local\Temp\is-6THUL.tmp\installer.tmp
installer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-6thul.tmp\installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2524"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Apowersoft background eraser" dir=in action=allow program="C:\Program Files\Apowersoft\Apowersoft Background Eraser\Apowersoft background eraser.exe" enable=yesC:\Windows\System32\netsh.exeinstaller.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2616"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1248,i,6507031228830226860,13196223213941693009,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
34 084
Read events
33 722
Write events
322
Delete events
40

Modification events

(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31109001
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31109001
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
481
Suspicious files
77
Text files
91
Unknown types
2

Dropped files

PID
Process
Filename
Type
4044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\backgrounderaser-setup-chn-filehorse[1].exeexecutable
MD5:343EA6313F74790E6D2EC3A3E934C310
SHA256:354480F387E1A6E595B859EEB924D6EA6F6AA9C3545F8E42935E835B2D47D011
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_9348905ADD4E6B2C7F47404EF1D88D59binary
MD5:3A6CA92DFB184836C43EF8076D2A8C6D
SHA256:4FD491F3BA011AF6DC3EF483143B1A60E7C83B2AED010244E1ADCC698279C7BD
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_9348905ADD4E6B2C7F47404EF1D88D59binary
MD5:2929D6F7A0DEC0D3029B1AEC611AE20F
SHA256:947DA3E9ED23962FC40B7109029E16713340FDE5C663CA89CEDB613A44464037
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:869BB4D013C56E86AE92F1DA996C5AA3
SHA256:8F0E8460D34EA1A9543150FA663961981D287CE78929AC4F36C63821C2429CF2
1060backgrounderaser-setup-chn-filehorse.exeC:\Users\admin\AppData\Local\Temp\installer.exe.err.logtext
MD5:139F8115F7E20F60A8894C96609E98F6
SHA256:C2E388F763BF4C93E6A8D528BE30864976022B1D893C84E8C85301392451A6A6
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AE5CBAD61AAAAA13CDE041EC2AC306F0_7795C314C4E7E1605CE826EA49ACD5A2binary
MD5:E28C26475032AE53BFD08AFCE5FEC8BC
SHA256:358D348620EAA99C1351417EB6804655E922E372E15FBF0DFFB9A47A6B6DC91C
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AE5CBAD61AAAAA13CDE041EC2AC306F0_7795C314C4E7E1605CE826EA49ACD5A2binary
MD5:766C7302CECEA7A401ACA765D017086A
SHA256:BCDB186A8B97991AB465C887EE0BEA7EB6F509CD31753769AE257E2394E7355E
3984iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF391C936037339A42.TMPbinary
MD5:DDCAFE29DA69315634254BC07DAF0CCE
SHA256:EDDD5F74B5E931E904E4E8FF83DE815F59A28C3FDF1B4A9DE92878A8ADFC4BE3
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:F357371E3D323FC701BD96F40DAFED68
SHA256:D2F051E9FA101AD62B22BE45EA7D6F91C17E4E0DF74086B44264E40E5066FF7A
4044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:BA8CEEC2EBF3E753A6B705E63C2E9388
SHA256:A148B8E23442402002DDE02681B2BF399DC058FED6B7EC7839C767F2070A2C02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
57
DNS requests
53
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4044
iexplore.exe
GET
304
23.50.131.196:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1fc3241a5fb83c4
unknown
unknown
4044
iexplore.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?098b2ca3f74ef2d4
unknown
unknown
4044
iexplore.exe
GET
200
2.17.147.122:80
http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEQDCt1Xbk71HLBjTUQvY7qDe
unknown
unknown
4044
iexplore.exe
GET
200
2.17.147.144:80
http://xinchacha2dv.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ4Sk6ZNdKzjsbcX9MfzVXSFJ9BPAQUoUOOADQJ5Xs1M651iQTyMmEPqOcCEAQE7hFcZ0khI91i5lf4n6U%3D
unknown
unknown
4044
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
unknown
1060
backgrounderaser-setup-chn-filehorse.exe
GET
200
47.244.67.194:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/webtrack/track?APIVersion=0.6.0&__topic__=win-launcher&unique_id=8287a29015fb0005117c3061d4580267&session_id=1716740961&app=Apowersoft%20Background%20Eraser&appid=361&apptype=chn-filehorse&installer_version=1.1.0.8&is_old_user=-1&last_step_duration=0&os_available_memory=2598888000&os_culture=0409&os_dpi=100&os_fullname=Microsoft%20Windows%207%20Professional%20&os_lang=en-US&os_resolution=1280x720&os_total_memory=3145208000&os_version=6.1.7601&step=1
unknown
unknown
1060
backgrounderaser-setup-chn-filehorse.exe
GET
200
47.244.67.194:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/webtrack/track?APIVersion=0.6.0&__topic__=win-launcher&unique_id=8287a29015fb0005117c3061d4580267&session_id=1716740961&app=Apowersoft%20Background%20Eraser&app_install_path=C%3A%5CProgram%20Files%5CApowersoft%5CApowersoft%20Background%20Eraser&app_lang=English&appid=361&apptype=chn-filehorse&last_step_duration=2&step=2
unknown
unknown
1060
backgrounderaser-setup-chn-filehorse.exe
GET
302
47.243.121.132:80
http://download.aoscdn.com/down.php?softid=backgrounderaserinstall-chn-filehorse
unknown
unknown
1060
backgrounderaser-setup-chn-filehorse.exe
GET
404
163.181.92.225:80
http://cdn.aoscdn.com/img/contact-group/installer-361-qq.jpg?19869
unknown
unknown
2240
installer.tmp
GET
200
47.244.67.194:80
http://wx-user-behavior.cn-hongkong.log.aliyuncs.com/logstores/win-setup/track?APIVersion=0.6.0&__topic__=install&appid=361&apptype=saas
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4044
iexplore.exe
47.243.121.132:443
download.aoscdn.com
Alibaba US Technology Co., Ltd.
HK
unknown
4044
iexplore.exe
23.50.131.196:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
4044
iexplore.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
4044
iexplore.exe
2.17.147.122:80
subca.ocsp-certum.com
Akamai International B.V.
CZ
unknown
4044
iexplore.exe
2.17.147.144:80
subca.ocsp-certum.com
Akamai International B.V.
CZ
unknown
4044
iexplore.exe
104.26.4.201:443
download.apowersoft.info
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
download.aoscdn.com
  • 47.243.121.132
unknown
ctldl.windowsupdate.com
  • 23.50.131.196
  • 23.50.131.208
  • 23.50.131.202
  • 23.50.131.200
  • 23.50.131.213
  • 23.50.131.199
  • 23.50.131.210
  • 23.50.131.205
  • 23.50.131.216
  • 23.50.131.207
  • 23.50.131.215
  • 23.50.131.209
  • 23.50.131.203
  • 23.50.131.201
whitelisted
subca.ocsp-certum.com
  • 2.17.147.122
  • 2.17.147.144
whitelisted
xinchacha2dv.ocsp-certum.com
  • 2.17.147.144
  • 2.17.147.122
unknown
download.apowersoft.info
  • 104.26.4.201
  • 104.26.5.201
  • 172.67.75.55
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 95.100.146.17
  • 95.100.146.35
  • 95.100.146.33
  • 95.100.146.19
  • 95.100.146.8
  • 95.100.146.25
  • 95.100.146.26
  • 95.100.146.11
  • 95.100.146.10
  • 95.100.146.16
  • 95.100.146.24
whitelisted
wx-user-behavior.cn-hongkong.log.aliyuncs.com
  • 47.244.67.194
  • 47.244.67.195
  • 47.90.119.19
  • 47.244.67.196
  • 47.244.67.192
  • 47.52.212.53
  • 47.244.67.193
  • 47.89.5.161
  • 47.244.67.191
  • 47.244.67.197
unknown
cdn.aoscdn.com
  • 163.181.92.225
  • 163.181.92.245
  • 163.181.92.226
  • 163.181.92.243
  • 163.181.92.241
  • 163.181.92.250
  • 163.181.92.249
  • 163.181.92.246
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
2776
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code.jquery .com)
2776
msedge.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
2776
msedge.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.aoscdn.com/backgrounderaser-setup-chn-filehorse.exe