Safe
Properly signed AOMEI recovery installer with zero engine detections and long clean prevalence history.
9719e1abde7fb8c6bb…1a69572b08The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file shows a clean engine profile with 17 tier-1 engines reporting it harmless and no tier-1 malicious detections. It carries a valid signature from the vendor named in the filename. Prevalence data indicates it is common_old software with hundreds of prior submissions. While synthesis heuristics flagged process injection and direct-IP behaviour, these are typical of signed installers that extract components and register services. Similar imphash matches were unsigned files from unrelated families, providing no contradictory evidence against this signed sample.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious detections, 17 tier-1 clean reports
signing.verified=true, signer='AOMEI International Network Limited'
prevalence.classification='common_old', 470 submissions since 2021-12-20
similarHashes: 4 malicious imphash matches were unsigned setup.exe files, not matching this signed AOMEI sample
- Zero engine detections across 75 scanners
- Valid signature from AOMEI International Network Limited
- 470 prior submissions with clean reputation
- No malicious dropped children or sandbox verdicts
The evidence supports treating this as a legitimate AOMEI recovery tool. Run it only after confirming the digital signature matches the vendor.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.40.197.184
- 209.197.3.8
- 23.216.147.64
- 20.99.132.105
- 20.62.24.77
- 23.216.147.76
- 20.99.133.109
- a83f:8110:1a1a:1aff:1b1b:1bff:1b1b:1bff
- 23.216.147.62
- 20.99.184.37
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-57SL4.tmp\996E.tmp
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-RMQJM.tmp\_isetup\_shfoldr.dll
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-RMQJM.tmp\OneKeyScriptDLL.dll
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-A6G5N.tmp\996E.tmp
- C:\Documents and Settings\Administrator\Local Settings\Temp\is-KB9VA.tmp\_isetup\_shfoldr.dll
- C:\Users\<USER>\AppData\Local\Temp\is-K3H6D.tmp\Amok.dll
- C:\Users\<USER>\AppData\Local\Temp\Amok.dll
- C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCDE.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD99.tmp.csv
- Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- Global\AmWebReg
- CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
- CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 4252ef0ec82de8b6634f…35e10eNever scannednever seen before
- bf83b3165deadcfa3d7b…2ad571Never scannednever seen before
- 9884e9d1b4f8a873ccbd…360d87Never scannednever seen before
- a4c86fc4836ac728d7bd…95fd81Never scannednever seen before
- 0b16ad93ee38243d72ff…c8d531Never scannednever seen before
- 6e9dbd60bd5cb014044d…6d964aNever scannednever seen before
- 71dacebe04e1b24f9af6…8edffeNever scannednever seen before
- 79d16ec8641ebe680ff0…0dc705Never scannednever seen before
- 060c82c2e04d22fb40a3…939898Never scannednever seen before
- 5612260cdb8a75f601ed…e1b1e7Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\AppData\Local\Temp\file.exe"Sample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.40.197.184 · 209.197.3.8 · 23.216.147.64
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- aomei-onekey-recovery-1-7-1.exe
- Size
- 27.33 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 9719e1abde7fb8c6bb8330d7ced83c7ed95bf5385b0280e5b059111a69572b08
- MD5
- 041291c6775861f803fd309a75546955
- SHA-1
- 688d525ba27596e7141a3df1c689bf834370261c
- PE imphash
- 483f0c4259a9148c34961abbda6146c1
- First seen (VT)
- 12/20/2021, 8:07:23 AM
- Last analysis (VT)
- 5/14/2026, 2:43:50 AM
- First scan (MalwareTips)
- 7/3/2026, 6:17:32 AM
- Last scan (MalwareTips)
- 7/3/2026, 6:17:32 AM
- Code signer
- AOMEI International Network Limitedverified
- Community reputation
- +15trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.