Malware analysis AacAmbientLighting.exe Malicious activity

Add for printing

File name:	AacAmbientLighting.exe
Full analysis:	https://app.any.run/tasks/14310413-00fc-43ee-8610-94d2b3034563
Verdict:	Malicious activity
Analysis date:	July 27, 2024, 14:07:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	89EC913BFAAC3D75269EC758EF8E79B6
SHA1:	982BB9EE6D9CDD0DC300F2F365DEF2891E2D38D7
SHA256:	F44D71A0BEA0171B085D6918F3341708E1276CE266990882C69887C2E9AAF636
SSDEEP:	98304:p+kUtYMPPYpOdld65kkWAhUEl6laXeBeFjfcrw7RyvCUtB9NgFAr1aPLqcuBqIO1:MF2p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - AacAmbientLighting.exe (PID: 7076)
  - cmd.exe (PID: 3280)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
  - cmd.exe (PID: 5624)
  - Extras.pif (PID: 6952)
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 7040)
  - findstr.exe (PID: 5196)
  - findstr.exe (PID: 2348)
  - findstr.exe (PID: 6728)
- Scans artifacts that could help determine the target
  - Appointments.pif (PID: 5084)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2380)
- Create files in the Startup directory
  - cmd.exe (PID: 5192)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - AacAmbientLighting.exe (PID: 7076)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
- Starts CMD.EXE for commands execution
  - AacAmbientLighting.exe (PID: 7076)
  - cmd.exe (PID: 3280)
  - OJakTMBspRHacH.exe (PID: 1476)
  - cmd.exe (PID: 5624)
- Executing commands from ".cmd" file
  - AacAmbientLighting.exe (PID: 7076)
  - OJakTMBspRHacH.exe (PID: 1476)
- Reads the date of Windows installation
  - AacAmbientLighting.exe (PID: 7076)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
- Get information on the list of running processes
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 5624)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 5624)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 5624)
- Application launched itself
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 5624)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 5624)
  - Extras.pif (PID: 6952)
- Suspicious file concatenation
  - cmd.exe (PID: 2968)
  - cmd.exe (PID: 2928)
- The executable file from the user directory is run by the CMD process
  - Appointments.pif (PID: 5084)
  - Extras.pif (PID: 6952)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 3280)
  - Appointments.pif (PID: 5084)
  - cmd.exe (PID: 5624)
  - Extras.pif (PID: 6952)
- Starts application with an unusual extension
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 5624)
- Process drops legitimate windows executable
  - Appointments.pif (PID: 5084)
- Checks Windows Trust Settings
  - Appointments.pif (PID: 5084)
INFO
- Reads the computer name
  - AacAmbientLighting.exe (PID: 7076)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
  - Extras.pif (PID: 6952)
- Process checks computer location settings
  - AacAmbientLighting.exe (PID: 7076)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
- Create files in a temporary directory
  - AacAmbientLighting.exe (PID: 7076)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
- Checks supported languages
  - AacAmbientLighting.exe (PID: 7076)
  - Appointments.pif (PID: 5084)
  - OJakTMBspRHacH.exe (PID: 1476)
  - Extras.pif (PID: 6952)
  - Extras.pif (PID: 6764)
- Reads mouse settings
  - Appointments.pif (PID: 5084)
  - Extras.pif (PID: 6952)
- Checks proxy server information
  - Appointments.pif (PID: 5084)
  - slui.exe (PID: 6512)
- Creates files or folders in the user directory
  - Appointments.pif (PID: 5084)
  - Extras.pif (PID: 6952)
  - Extras.pif (PID: 6764)
- Creates files in the program directory
  - Appointments.pif (PID: 5084)
- Reads the machine GUID from the registry
  - Appointments.pif (PID: 5084)
- Reads the software policy settings
  - Appointments.pif (PID: 5084)
  - slui.exe (PID: 6512)
- Manual execution by a user
  - cmd.exe (PID: 2380)
  - cmd.exe (PID: 5192)
  - Extras.pif (PID: 6764)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:19:54+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	28160
InitializedDataSize:	446976
UninitializedDataSize:	16896
EntryPoint:	0x3883
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	6.6.0.8957
ProductVersionNumber:	33.2.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
LegalCopyright:	©Pale Moon, Firefox and Mozilla Developers, available under the MPL 2.0.
CompanyName:	Moonchild Productions
FileDescription:	Pale Moon web browser
FileVersion:	6.6.0
ProductVersion:	33.2.1
InternalName:	Pale Moon
LegalTrademarks:	The Pale Moon logo and project names are trademarks of Moonchild Productions.
OriginalFileName:	palemoon.exe
ProductName:	Pale Moon
BuildID:	20240710123718

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

169

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

236

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1080

findstr /V "pizzaplaneslemongirl" Bestiality

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1108

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1476

"C:\Users\admin\AppData\Roaming\DirectX11\OJakTMBspRHacH.exe"

C:\Users\admin\AppData\Roaming\DirectX11\OJakTMBspRHacH.exe

—

Appointments.pif

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\directx11\ojaktmbsprhach.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1544

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2300

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2340

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2348

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2380

cmd /c schtasks.exe /create /tn "Bath" /tr "wscript //B 'C:\Users\admin\AppData\Local\EduInno Dynamics\SophieCraft.js'" /sc minute /mo 5 /F

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2928

cmd /c copy /b Saint + Helpful + Intel + Recommend + Drawn + Recently + Desert 649005\H

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

11 262

Read events

11 235

Write events

Delete events

Modification events


(PID) Process:	(7076) AacAmbientLighting.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7076) AacAmbientLighting.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7076) AacAmbientLighting.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7076) AacAmbientLighting.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5084) Appointments.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5084) Appointments.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5084) Appointments.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5084) Appointments.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5084) Appointments.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5084) Appointments.pif	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

Suspicious files

118

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Aged		binary
		MD5:B042AB8A19036DB81E1EA7DAA6F30D08	SHA256:7F9746E7DD60C643AF58A39CF8AD3BEAFAB424C58AACCE664B926215CDD839A4
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Theft		binary
		MD5:9440F43EA442C65A0EFF8D58CFE672D1	SHA256:22A2D32144F56AEBC824FB3DFC2762B0B16D91A9F55B5872928646EDCB9CA965
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Upon		abr
		MD5:4BBC3585B0E37BF75403CEC60A17DEC0	SHA256:B63FA5BDEFDAA0919E49BA4B23834A0DA5625025C58D6A8AAA5D6AC3FF2B0032
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Artwork		binary
		MD5:3EF5875DCD287C7029AAFAED8E517BC7	SHA256:B8C861FD8669AD7DABEB9AE4D2B75AF2D1F0CEBA230890CC8345A59B98185E7E
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Naturally		binary
		MD5:BD8099BB827B3048AACD0DCEBED8A034	SHA256:540A2922103562BE8E359B0D532B82D8A65AB94AA513B274247B353C91176592
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Jpg		csp
		MD5:EAC1C5EE8DB6D7D23B5A2DA763A9433E	SHA256:193C77C9A4A542ADB1EA2AC3001C5B28D16717DCE2148044107EE0E33EA86256
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Cancelled		text
		MD5:C0B82387727F8BF4862DB5A5DCE59215	SHA256:E9A47DDA2F440BC7FB029BC8C801C455D8F16AB95505A3D4F3BD7EBA919355D2
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Both		binary
		MD5:D8424E9052638FCC608B524EC1B9828A	SHA256:E3DFFBCB4F5674731DA9389AB3DB18B075383233E4AEB75CAF4D0106024FEF0B
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Poetry		binary
		MD5:8EBF9DFB8937A0D9C7DD2794D24F8228	SHA256:228C12ABA0B36B80765BFC03CE8F6678E8B7BFEA296BAF0DBB1C193B70E59710
7076	AacAmbientLighting.exe	C:\Users\admin\AppData\Local\Temp\Ties		ini
		MD5:F3C4A22F12FE13CCAA211DDB1FE1114B	SHA256:AD6A515649D98FFFECC2E712368E6C0007ED4721C8AB40B58DE3853A77DC3E6D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4132	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
5084	Appointments.pif	GET	200	142.250.186.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
3156	svchost.exe	GET	304	2.19.217.103:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
1256	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5084	Appointments.pif	GET	200	142.250.186.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4128	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	95.100.146.32:443	www.bing.com	Akamai International B.V.	CZ	unknown
6012	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3948	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5800	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2668	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
396	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 4.231.128.59	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	95.100.146.32 95.100.146.33 95.100.146.25 95.100.146.40 95.100.146.19 95.100.146.24 95.100.146.26 95.100.146.16 95.100.146.35 95.100.146.27 95.100.146.17	whitelisted
google.com	142.250.181.238	whitelisted
AMpBwvvBIuHNOTwNi.AMpBwvvBIuHNOTwNi	—	unknown
login.live.com	20.190.160.17 40.126.32.68 40.126.32.136 40.126.32.72 40.126.32.134 40.126.32.133 40.126.32.140 40.126.32.76	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.60	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

AacAmbientLighting.exe

89EC913BFAAC3D75269EC758EF8E79B6

982BB9EE6D9CDD0DC300F2F365DEF2891E2D38D7

F44D71A0BEA0171B085D6918F3341708E1276CE266990882C69887C2E9AAF636

98304:p+kUtYMPPYpOdld65kkWAhUEl6laXeBeFjfcrw7RyvCUtB9NgFAr1aPLqcuBqIO1:MF2p

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Antivirus name has been found in the command line (generic signature)

Scans artifacts that could help determine the target

Uses Task Scheduler to run other applications

Create files in the Startup directory

SUSPICIOUS

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from ".cmd" file

Reads the date of Windows installation

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Uses TIMEOUT.EXE to delay execution

Application launched itself

Drops a file with a rarely used extension (PIF)

Suspicious file concatenation

The executable file from the user directory is run by the CMD process

Executable content was dropped or overwritten

Starts application with an unusual extension

Process drops legitimate windows executable

Checks Windows Trust Settings

INFO

Reads the computer name

Process checks computer location settings

Create files in a temporary directory

Checks supported languages

Reads mouse settings

Checks proxy server information

Creates files or folders in the user directory

Creates files in the program directory

Reads the machine GUID from the registry

Reads the software policy settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity