Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Classes\AOMEI Backupper Backup File\shell\open\command] '' = '%TEMP%\7ZipSfx.000\Backupper.exe -loadImage "%1"'
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\amwrtdrv] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\amwrtdrv] 'ImagePath' = '<SYSTEM32>\amwrtdrv.sys'
Creates the following services
- 'amwrtdrv' <SYSTEM32>\amwrtdrv.sys
Modifies file system
Creates the following files
- %TEMP%\7zipsfx.000\2gpt_bcd
- %TEMP%\7zipsfx.000\qtcore4.dll
- %TEMP%\7zipsfx.000\phonon4.dll
- %TEMP%\7zipsfx.000\peloaddrv.exe
- %TEMP%\7zipsfx.000\outlook.dll
- %TEMP%\7zipsfx.000\obcorex64.exe
- %TEMP%\7zipsfx.000\nthelp.dll
- %TEMP%\7zipsfx.000\msvcr90.dll
- %TEMP%\7zipsfx.000\msvcr80.dll
- %TEMP%\7zipsfx.000\qtgui4.dll
- %TEMP%\7zipsfx.000\msvcp90.dll
- %TEMP%\7zipsfx.000\msvcm90.dll
- %TEMP%\7zipsfx.000\msvcm80.dll
- %TEMP%\7zipsfx.000\mfcm80u.dll
- %TEMP%\7zipsfx.000\mfcm80.dll
- %TEMP%\7zipsfx.000\mfc80u.dll
- %TEMP%\7zipsfx.000\mfc80.dll
- %TEMP%\7zipsfx.000\log4cplusu.dll
- %TEMP%\7zipsfx.000\libssl-1_1-x64.dll
- %TEMP%\7zipsfx.000\msvcp80.dll
- %ALLUSERSPROFILE%\aomeibr\tasks2.2.xml
- %TEMP%\7zipsfx.000\abnotifytoolcfg.ini
- %TEMP%\7zipsfx.000\qtxml4.dll
- %ALLUSERSPROFILE%\aomeibr\daytime.ini
- %ALLUSERSPROFILE%\aomeibr\brfunction.ini
- %ALLUSERSPROFILE%\aomeibr\backuprecovery.ini
- %TEMP%\7zipsfx.000\log\reg.log
- %ALLUSERSPROFILE%\aomeibr\cb\db\amct.db
- %ALLUSERSPROFILE%\aomeibr\cb\db\amct.db-journal
- %ALLUSERSPROFILE%\aomeibr\cb\db\amcbdb.db
- %ALLUSERSPROFILE%\aomeibr\cb\db\amcbdb.db-journal
- %TEMP%\7zipsfx.000\libeay32.dll
- %ALLUSERSPROFILE%\aomeibr\comn.ini
- %TEMP%\7zipsfx.000\log\backupper0.txt
- %TEMP%\7zipsfx.000\color.xml
- %TEMP%\7zipsfx.000\vcomp.dll
- %TEMP%\7zipsfx.000\usbdetect.dll
- %TEMP%\7zipsfx.000\uilogic.dll
- %TEMP%\7zipsfx.000\sync.dll
- %TEMP%\7zipsfx.000\ssleay32.dll
- %TEMP%\7zipsfx.000\sqlite3.dll
- %TEMP%\7zipsfx.000\qtnetwork4.dll
- %TEMP%\7zipsfx.000\qtwebkit4.dll
- %TEMP%\7zipsfx.000\libcurl.dll
- %TEMP%\7zipsfx.000\brvol.dll
- %TEMP%\7zipsfx.000\brfat.dll
- %TEMP%\7zipsfx.000\backupper.exe
- %TEMP%\7zipsfx.000\backup.dll
- %TEMP%\7zipsfx.000\awssns.dll
- %TEMP%\7zipsfx.000\amnet.dll
- %TEMP%\7zipsfx.000\ammcauth.dll
- %TEMP%\7zipsfx.000\amcore.dll
- %TEMP%\7zipsfx.000\version.ini
- %TEMP%\7zipsfx.000\brlog.dll
- %TEMP%\7zipsfx.000\other.ini
- %TEMP%\7zipsfx.000\microsoft.vc80.openmp.manifest
- %TEMP%\7zipsfx.000\microsoft.vc80.mfc.manifest
- %TEMP%\7zipsfx.000\microsoft.vc80.crt.manifest
- %TEMP%\7zipsfx.000\lang\en.txt
- %TEMP%\7zipsfx.000\dev.dat
- %TEMP%\7zipsfx.000\config.dat
- %TEMP%\7zipsfx.000\cfg.ini
- %TEMP%\7zipsfx.000\2mbr_bcd
- %TEMP%\7zipsfx.000\microsoft.vc90.crt.manifest
- %TEMP%\7zipsfx.000\exfatstd.dll
- %TEMP%\7zipsfx.000\libamct.dll
- %TEMP%\7zipsfx.000\clone.dll
- %TEMP%\7zipsfx.000\libamcbdb.dll
- %TEMP%\7zipsfx.000\libamcbconsole.dll
- %TEMP%\7zipsfx.000\ldm.dll
- %TEMP%\7zipsfx.000\imgfile.dll
- %TEMP%\7zipsfx.000\gptbcd.dll
- %TEMP%\7zipsfx.000\funcoutlook.dll
- %TEMP%\7zipsfx.000\funclogic.dll
- %TEMP%\7zipsfx.000\flbackup.dll
- %TEMP%\7zipsfx.000\libcrypto-1_1-x64.dll
- %TEMP%\7zipsfx.000\filedialog.dll
- %TEMP%\7zipsfx.000\erasedisk.exe
- %TEMP%\7zipsfx.000\enumfolder.dll
- %TEMP%\7zipsfx.000\encrypt.dll
- %TEMP%\7zipsfx.000\diskmgr.dll
- %TEMP%\7zipsfx.000\devicemgr.dll
- %TEMP%\7zipsfx.000\device.dll
- %TEMP%\7zipsfx.000\compress.dll
- %TEMP%\7zipsfx.000\comn.dll
- %TEMP%\7zipsfx.000\brntfs.dll
- %ALLUSERSPROFILE%\aomeibr\abnotifytoolstate.ini
Deletes the following files
- %ALLUSERSPROFILE%\aomeibr\cb\db\amcbdb.db-journal
- %ALLUSERSPROFILE%\aomeibr\cb\db\amct.db-journal
Moves the following files
- from %TEMP%\7zipsfx.000\abnotifytoolcfg.ini to %TEMP%\7zipsfx.000\abnotifyloaclcfg.ini
Substitutes the following files
- %ALLUSERSPROFILE%\aomeibr\cb\db\amcbdb.db-journal
- %ALLUSERSPROFILE%\aomeibr\cb\db\amct.db-journal
Network activity
Connects to
- 'ao###tech.com':80
- 'localhost':49204
- 'localhost':49202
- 'localhost':49199
- 'localhost':49197
- 'localhost':49194
- 'localhost':49192
- 'bing.com':443
- 'localhost':49207
- 'localhost':49189
- 'google.com':443
- 'localhost':49184
- 'localhost':49182
- 'ac#####.aomeitech.com':80
- 'localhost':49179
- 'localhost':49177
- 'sn.####isoftware.com':80
- 'localhost':49187
- 'localhost':49209
TCP
HTTP GET requests
- http://sn.####isoftware.com/api/v1/php/sn?cl########
- http://sn.####isoftware.com/api/v1/php/sn?cl#####################################################################################################################################################...
- http://ac#####.aomeitech.com/Notifycfg.ini
Other
- 'localhost':49177
- 'localhost':49207
- 'localhost':49205
- 'localhost':49204
- 'localhost':49202
- 'localhost':49200
- 'localhost':49199
- 'localhost':49197
- 'localhost':49195
- 'localhost':49209
- 'localhost':49194
- 'localhost':49190
- 'localhost':49189
- 'localhost':49187
- 'localhost':49185
- 'localhost':49184
- 'localhost':49182
- 'localhost':49180
- 'localhost':49179
- 'localhost':49192
- 'localhost':49210
UDP
- DNS ASK ao###tech.com
- DNS ASK sn.####isoftware.com
- DNS ASK ac#####.aomeitech.com
- DNS ASK google.com
- DNS ASK bing.com
Miscellaneous
Creates and executes the following
- '%TEMP%\7zipsfx.000\backupper.exe'
- '<SYSTEM32>\wbem\wmic.exe' cpu get processorid' (with hidden window)
Executes the following
- '<SYSTEM32>\wbem\wmic.exe' cpu get processorid
