File name:

Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe

Full analysis: https://app.any.run/tasks/6e1863a3-e136-4f94-a2e7-90b6a54c14ab
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: November 10, 2023, 10:19:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
loader
evasion
stealc
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

79A3EE69373F2AD38367BF9F5BBBDEEC

SHA1:

BA53CAE330EC1AD18DA0B02C5EBBB0EF22071FA8

SHA256:

98692B163692B50B8EC63666AE91CF41B762CE71D28E9DA9A3CD55B4449D22A7

SSDEEP:

49152:+7HecD4dnbibBlZ/rjsbmLApne0Fop4R2uXB3iyLT/ex4XrL7P42DpJXWZn80cw0:m+cD4dng/rIkWnXFopLQ3iUrex4vkY77

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe (PID: 3524)
      • setup.exe (PID: 3444)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • a3.exe (PID: 1360)
      • a3.tmp (PID: 1364)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe (PID: 3416)

    • Connects to the CnC server

      • patricia.exe (PID: 4072)

    • STEALC has been detected (SURICATA)

      • patricia.exe (PID: 4072)

    • Uses Task Scheduler to run other applications

      • a3.tmp (PID: 1364)

    • Starts CMD.EXE for self-deleting

      • a1.exe (PID: 3988)

    • The DLL Hijacking

      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • patricia.exe (PID: 4072)
      • a4.exe (PID: 712)
      • msiexec.exe (PID: 1584)
      • a5.exe (PID: 2316)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3128)

    • Reads the Windows owner or organization settings

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • setup.tmp (PID: 3556)
      • a3.tmp (PID: 1364)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)

    • Searches for installed software

      • setup.tmp (PID: 3556)

    • Checks Windows Trust Settings

      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)
      • msiexec.exe (PID: 1584)

    • Reads settings of System Certificates

      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • a5.exe (PID: 2316)

    • Reads security settings of Internet Explorer

      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 1584)

    • Adds/modifies Windows certificates

      • setup.exe (PID: 3444)
      • setup.tmp (PID: 3556)

    • Process requests binary or script from the Internet

      • setup.tmp (PID: 3556)

    • Reads the BIOS version

      • patricia.exe (PID: 4072)

    • Starts CMD.EXE for commands execution

      • a1.exe (PID: 3988)

    • Checks for Java to be installed

      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 1584)

    • Runs shell command (SCRIPT)

      • msiexec.exe (PID: 1584)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 2532)

  • INFO

    • Create files in a temporary directory

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe (PID: 3416)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe (PID: 3524)
      • setup.exe (PID: 3444)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • a3.exe (PID: 1360)
      • a4.exe (PID: 712)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)

    • Checks supported languages

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe (PID: 3416)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3128)
      • setup.exe (PID: 3444)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • setup.tmp (PID: 3556)
      • wmpnscfg.exe (PID: 3812)
      • a1.exe (PID: 3988)
      • patricia.exe (PID: 4072)
      • a3.tmp (PID: 1364)
      • a3.exe (PID: 1360)
      • a4.exe (PID: 712)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)
      • msiexec.exe (PID: 1584)
      • msiexec.exe (PID: 2632)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe (PID: 3524)
      • msiexec.exe (PID: 2460)

    • Reads the computer name

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3128)
      • setup.tmp (PID: 3556)
      • wmpnscfg.exe (PID: 3812)
      • a1.exe (PID: 3988)
      • patricia.exe (PID: 4072)
      • a4.exe (PID: 712)
      • a3.tmp (PID: 1364)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)
      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)
      • msiexec.exe (PID: 2460)

    • Creates files in the program directory

      • Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp (PID: 3564)
      • setup.tmp (PID: 3556)

    • Reads the machine GUID from the registry

      • setup.tmp (PID: 3556)
      • wmpnscfg.exe (PID: 3812)
      • a1.exe (PID: 3988)
      • patricia.exe (PID: 4072)
      • a4.exe (PID: 712)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2532)
      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)
      • msiexec.exe (PID: 2460)

    • Checks proxy server information

      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • patricia.exe (PID: 4072)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 1584)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3812)
      • chrome.exe (PID: 2412)

    • Creates files or folders in the user directory

      • setup.tmp (PID: 3556)
      • a1.exe (PID: 3988)
      • a3.tmp (PID: 1364)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 1584)

    • Reads mouse settings

      • a1.exe (PID: 3988)

    • Reads Environment values

      • a4.exe (PID: 712)
      • a5.exe (PID: 2316)
      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)

    • Process checks Powershell version

      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)

    • Application launched itself

      • msiexec.exe (PID: 2532)
      • msedge.exe (PID: 3200)
      • chrome.exe (PID: 2412)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 2632)
      • msiexec.exe (PID: 1584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 15:54:16+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: Ample Sound Ample Metal Eclipse v310 WiN-OSX Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Ample Sound Ample Metal Eclipse v310 WiN-OSX
ProductVersion: 1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
49
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ample sound ample metal eclipse v310 win-osx.exe no specs ample sound ample metal eclipse v310 win-osx.tmp no specs ample sound ample metal eclipse v310 win-osx.exe ample sound ample metal eclipse v310 win-osx.tmp setup.exe no specs setup.tmp wmpnscfg.exe no specs a1.exe #STEALC patricia.exe cmd.exe no specs ping.exe no specs ntvdm.exe no specs a3.exe no specs a3.tmp no specs schtasks.exe no specs schtasks.exe no specs a4.exe a5.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe taskkill.exe no specs msiexec.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"schtasks" /Query /TN "DigitalCloudUpdateTask"C:\Windows\System32\schtasks.exea3.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
588"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3224 --field-trial-handle=1300,i,16258996234344083485,16301597913936218444,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
712"C:\Users\admin\AppData\Local\Temp\is-O7122.tmp\a4.exe" 2666 sC:\Users\admin\AppData\Local\Temp\is-O7122.tmp\a4.exe
setup.tmp
User:
admin
Integrity Level:
HIGH
Description:
Installer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-o7122.tmp\a4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1152"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1300,i,16258996234344083485,16301597913936218444,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1236"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 --field-trial-handle=1300,i,16258996234344083485,16301597913936218444,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1272"schtasks" /Create /TN "DigitalCloudUpdateTask" /SC HOURLY /TR "C:\Users\admin\AppData\Roaming\DigitalCloud\DigitalCloudUpdate.exe"C:\Windows\System32\schtasks.exea3.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1348"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=1300,i,16258996234344083485,16301597913936218444,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1360"C:\Users\admin\AppData\Local\Temp\is-O7122.tmp\a3.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=6752 /CLICKID=2666 /SOURCEID=2666C:\Users\admin\AppData\Local\Temp\is-O7122.tmp\a3.exesetup.tmp
User:
admin
Company:
DigitalCloud, Ltd.
Integrity Level:
HIGH
Description:
DigitalCloud Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\is-o7122.tmp\a3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
1364"C:\Users\admin\AppData\Local\Temp\is-QAPSK.tmp\a3.tmp" /SL5="$801D0,5598936,832512,C:\Users\admin\AppData\Local\Temp\is-O7122.tmp\a3.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=6752 /CLICKID=2666 /SOURCEID=2666C:\Users\admin\AppData\Local\Temp\is-QAPSK.tmp\a3.tmpa3.exe
User:
admin
Company:
DigitalCloud, Ltd.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qapsk.tmp\a3.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1376"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3440 --field-trial-handle=1300,i,16258996234344083485,16301597913936218444,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
27 934
Read events
27 683
Write events
215
Delete events
36

Modification events

(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3556) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3556) setup.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3556) setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Operation:writeName:Blob
Value:
1900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA662000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C60B000000010000001A0000004900530052004700200052006F006F007400200058003100000014000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E1D000000010000001000000073B6876195F5D18E048510422AEF04E309000000010000000C000000300A06082B06010505070301030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E80F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F6320000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
Executable files
49
Suspicious files
140
Text files
102
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416Ample Sound Ample Metal Eclipse v310 WiN-OSX.exeC:\Users\admin\AppData\Local\Temp\is-NG35P.tmp\Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpexecutable
MD5:80D6419FDFEAB169B87CC627855E86C7
SHA256:ED50A68BE9D28972832702A199D66360BE3CFE2978C848F23158632446B30D1A
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Users\admin\AppData\Local\Temp\is-HBLGV.tmp\sttext
MD5:6FDAFDAFBC277C0E556F4CAC942F45C7
SHA256:C07B0E01FFDDC13FDFD5CFB0839CF0604B060F6A51D37F6EBA6184635AAE047C
3524Ample Sound Ample Metal Eclipse v310 WiN-OSX.exeC:\Users\admin\AppData\Local\Temp\is-AD63R.tmp\Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpexecutable
MD5:80D6419FDFEAB169B87CC627855E86C7
SHA256:ED50A68BE9D28972832702A199D66360BE3CFE2978C848F23158632446B30D1A
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Users\admin\AppData\Local\Temp\is-HBLGV.tmp\statext
MD5:444BCB3A3FCF8389296C49467F27E1D6
SHA256:2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Program Files\Ample Sound Ample Metal Eclipse v310 WiN-OSX\unins000.datbinary
MD5:7EC1D375BFB3C60898499B8C9A19CCB3
SHA256:B654A38BC36011BE70F784953BD1537524D11CC01FCBDE0452CFF908463D945D
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Users\admin\AppData\Local\Temp\is-HBLGV.tmp\setup.exeexecutable
MD5:45121AAEE6D4257E43930CDF1CCE8256
SHA256:DDF7DDB5923DB7BDB0F254169F07CEE69C90B958B4EF4C5D58D2F2B5996E03D0
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Program Files\Ample Sound Ample Metal Eclipse v310 WiN-OSX\unins000.exeexecutable
MD5:EDF8BFB6BDC84934C710C33FD54F11D5
SHA256:B9D974A6E8A4EF98F6B8040336E117A7F123590B283010C458037C30E1662540
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Program Files\Ample Sound Ample Metal Eclipse v310 WiN-OSX\is-QV39Q.tmpexecutable
MD5:EDF8BFB6BDC84934C710C33FD54F11D5
SHA256:B9D974A6E8A4EF98F6B8040336E117A7F123590B283010C458037C30E1662540
3556setup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:40BF92AD67454731D0AE9BE5CA054C21
SHA256:2CE55A47E3DA10B2475E8E7F89208B3A99B930AFF5B2B0C5F0A3AD119CA5ADFD
3564Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmpC:\Users\admin\AppData\Local\Temp\is-HBLGV.tmp\is-PMVSE.tmpexecutable
MD5:45121AAEE6D4257E43930CDF1CCE8256
SHA256:DDF7DDB5923DB7BDB0F254169F07CEE69C90B958B4EF4C5D58D2F2B5996E03D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
53
DNS requests
67
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3556
setup.tmp
HEAD
200
37.1.198.251:80
http://ambadevgroup.info/load/1893/promo.exe
unknown
unknown
3556
setup.tmp
HEAD
200
23.106.59.52:80
http://www.mildstat.com/ping/?count=true&id=3gn4m2ide1
unknown
unknown
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
GET
200
104.21.76.176:80
http://cookchildren.online/ki.php?p=3942&t=47518560&title=QW1wbGUgU291bmQgQW1wbGUgTWV0YWwgRWNsaXBzZSB2MzEwIFdpTi1PU1g=&sub=2666&ps=654dfd4697fb6
unknown
text
152 b
unknown
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
GET
200
188.114.96.3:80
http://tripsilver.xyz/pe/buildIN.php?sub=2666&source=3942&s1=47518560&title=QW1wbGUgU291bmQgQW1wbGUgTWV0YWwgRWNsaXBzZSB2MzEwIFdpTi1PU1g%3D&ti=1699611594
unknown
executable
4.90 Mb
unknown
3556
setup.tmp
GET
200
37.1.198.251:80
http://ambadevgroup.info/load/1893/promo.exe
unknown
executable
996 Kb
unknown
3988
a1.exe
GET
302
37.1.198.251:80
http://mysoftwareusa.info/stats.php?company_id=2&lua=user
unknown
text
3 b
unknown
3556
setup.tmp
GET
200
2.16.238.25:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee3d6fed254c33ab
unknown
compressed
61.6 Kb
unknown
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
GET
200
104.21.76.176:80
http://cookchildren.online/kis.php
unknown
text
2 b
unknown
3556
setup.tmp
GET
200
23.60.200.134:80
http://x2.c.lencr.org/
unknown
binary
300 b
unknown
3988
a1.exe
GET
200
37.1.198.251:80
http://mysoftwareusa.info/stat_eu_bek.php
unknown
text
3 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
104.21.76.176:80
cookchildren.online
CLOUDFLARENET
unknown
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
188.114.96.3:80
tripsilver.xyz
CLOUDFLARENET
NL
unknown
3556
setup.tmp
172.67.161.180:443
x.prosefriend.online
CLOUDFLARENET
US
unknown
3556
setup.tmp
2.16.238.25:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3556
setup.tmp
23.212.210.158:80
x1.c.lencr.org
AKAMAI-AS
AU
unknown
3556
setup.tmp
23.60.200.134:80
x2.c.lencr.org
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
cookchildren.online
  • 104.21.76.176
  • 172.67.198.98
unknown
tripsilver.xyz
  • 188.114.96.3
  • 188.114.97.3
unknown
x.prosefriend.online
  • 172.67.161.180
  • 104.21.9.238
unknown
ctldl.windowsupdate.com
  • 2.16.238.25
  • 2.16.238.21
whitelisted
x1.c.lencr.org
  • 23.212.210.158
whitelisted
x2.c.lencr.org
  • 23.60.200.134
whitelisted
ambadevgroup.info
  • 37.1.198.251
unknown
mysoftwareusa.info
  • 37.1.198.251
unknown
iplogger.com
  • 172.67.194.188
  • 104.21.12.138
shared
ocsp.pki.goog
  • 172.217.23.99
whitelisted

Threats

PID
Process
Class
Message
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/TrojanDownloader Variant Activity (GET)
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3564
Ample Sound Ample Metal Eclipse v310 WiN-OSX.tmp
Misc activity
ET INFO EXE - Served Attached HTTP
3556
setup.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3988
a1.exe
Potentially Bad Traffic
ET USER_AGENTS Suspicious User-Agent (Installed OK)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
3988
a1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
7 ETPRO signatures available at the full report
Process
Message
patricia.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ample Sound Ample Metal Eclipse v310 WiN-OSX.exe