File name:

AacAmbientLighting.exe

Full analysis: https://app.any.run/tasks/b4ae9d1b-479b-4750-a359-9ab9aa25f9fb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 27, 2024, 15:58:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

89EC913BFAAC3D75269EC758EF8E79B6

SHA1:

982BB9EE6D9CDD0DC300F2F365DEF2891E2D38D7

SHA256:

F44D71A0BEA0171B085D6918F3341708E1276CE266990882C69887C2E9AAF636

SSDEEP:

98304:p+kUtYMPPYpOdld65kkWAhUEl6laXeBeFjfcrw7RyvCUtB9NgFAr1aPLqcuBqIO1:MF2p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AacAmbientLighting.exe (PID: 7032)
      • cmd.exe (PID: 7156)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • Appointments.pif (PID: 2692)
      • cmd.exe (PID: 3648)
      • Extras.pif (PID: 4656)
      • Appointments.pif (PID: 4600)

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 7104)
      • findstr.exe (PID: 2068)
      • findstr.exe (PID: 4316)
      • findstr.exe (PID: 1388)
      • findstr.exe (PID: 504)
      • findstr.exe (PID: 4852)
      • findstr.exe (PID: 7132)
      • findstr.exe (PID: 6648)

    • Scans artifacts that could help determine the target

      • Appointments.pif (PID: 2692)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3780)

    • Create files in the Startup directory

      • cmd.exe (PID: 2192)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • AacAmbientLighting.exe (PID: 7032)
      • Appointments.pif (PID: 2692)
      • AacAmbientLighting.exe (PID: 720)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • Appointments.pif (PID: 4600)
      • EovJmduARXsqIm.exe (PID: 6524)

    • Reads the date of Windows installation

      • AacAmbientLighting.exe (PID: 7032)
      • AacAmbientLighting.exe (PID: 720)
      • Appointments.pif (PID: 2692)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • Appointments.pif (PID: 4600)
      • EovJmduARXsqIm.exe (PID: 6524)

    • Executing commands from ".cmd" file

      • AacAmbientLighting.exe (PID: 7032)
      • AacAmbientLighting.exe (PID: 720)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • EovJmduARXsqIm.exe (PID: 6524)

    • Starts CMD.EXE for commands execution

      • AacAmbientLighting.exe (PID: 7032)
      • cmd.exe (PID: 7156)
      • AacAmbientLighting.exe (PID: 720)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 3648)
      • EovJmduARXsqIm.exe (PID: 6524)
      • cmd.exe (PID: 644)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 644)

    • Get information on the list of running processes

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 644)

    • Application launched itself

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 644)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 7156)
      • Appointments.pif (PID: 2692)
      • cmd.exe (PID: 3648)
      • Extras.pif (PID: 4656)
      • Appointments.pif (PID: 4600)

    • Suspicious file concatenation

      • cmd.exe (PID: 1328)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 3660)
      • cmd.exe (PID: 3572)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 644)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 3648)
      • Extras.pif (PID: 4656)

    • The executable file from the user directory is run by the CMD process

      • Appointments.pif (PID: 2692)
      • Appointments.pif (PID: 4600)
      • Extras.pif (PID: 4656)
      • Extras.pif (PID: 7156)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 644)

    • Checks Windows Trust Settings

      • Appointments.pif (PID: 2692)
      • Appointments.pif (PID: 4600)

    • Process drops legitimate windows executable

      • Appointments.pif (PID: 2692)

  • INFO

    • Create files in a temporary directory

      • AacAmbientLighting.exe (PID: 7032)
      • Appointments.pif (PID: 2692)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • AacAmbientLighting.exe (PID: 720)
      • EovJmduARXsqIm.exe (PID: 6524)

    • Reads the computer name

      • AacAmbientLighting.exe (PID: 7032)
      • Appointments.pif (PID: 2692)
      • AacAmbientLighting.exe (PID: 720)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • Appointments.pif (PID: 4600)
      • Extras.pif (PID: 4656)
      • EovJmduARXsqIm.exe (PID: 6524)

    • Checks supported languages

      • AacAmbientLighting.exe (PID: 7032)
      • Appointments.pif (PID: 2692)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • AacAmbientLighting.exe (PID: 720)
      • Appointments.pif (PID: 4600)
      • Extras.pif (PID: 4656)
      • EovJmduARXsqIm.exe (PID: 6524)
      • Extras.pif (PID: 7156)
      • Extras.pif (PID: 132)

    • Process checks computer location settings

      • AacAmbientLighting.exe (PID: 7032)
      • Appointments.pif (PID: 2692)
      • AacAmbientLighting.exe (PID: 720)
      • vFnYSZsLbjSUjV.exe (PID: 2240)
      • Appointments.pif (PID: 4600)
      • EovJmduARXsqIm.exe (PID: 6524)

    • Reads mouse settings

      • Appointments.pif (PID: 2692)
      • Appointments.pif (PID: 4600)
      • Extras.pif (PID: 4656)
      • Extras.pif (PID: 7156)

    • Reads the software policy settings

      • Appointments.pif (PID: 2692)
      • slui.exe (PID: 2748)
      • Appointments.pif (PID: 4600)

    • Checks proxy server information

      • Appointments.pif (PID: 2692)
      • slui.exe (PID: 2748)
      • Appointments.pif (PID: 4600)

    • Reads the machine GUID from the registry

      • Appointments.pif (PID: 2692)
      • Appointments.pif (PID: 4600)

    • Creates files or folders in the user directory

      • Appointments.pif (PID: 2692)
      • Extras.pif (PID: 4656)
      • Appointments.pif (PID: 4600)
      • Extras.pif (PID: 132)

    • Creates files in the program directory

      • Appointments.pif (PID: 2692)
      • Appointments.pif (PID: 4600)

    • Manual execution by a user

      • AacAmbientLighting.exe (PID: 720)
      • cmd.exe (PID: 2192)
      • Extras.pif (PID: 132)
      • Extras.pif (PID: 7016)
      • cmd.exe (PID: 3780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 446976
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.6.0.8957
ProductVersionNumber: 33.2.1.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
LegalCopyright: ©Pale Moon, Firefox and Mozilla Developers, available under the MPL 2.0.
CompanyName: Moonchild Productions
FileDescription: Pale Moon web browser
FileVersion: 6.6.0
ProductVersion: 33.2.1
InternalName: Pale Moon
LegalTrademarks: The Pale Moon logo and project names are trademarks of Moonchild Productions.
OriginalFileName: palemoon.exe
ProductName: Pale Moon
BuildID: 20240710123718
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
55
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start aacambientlighting.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs appointments.pif timeout.exe no specs slui.exe aacambientlighting.exe no specs cmd.exe no specs conhost.exe no specs vfnyszslbjsujv.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs appointments.pif timeout.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs extras.pif timeout.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe conhost.exe no specs extras.pif no specs eovjmduarxsqim.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs extras.pif no specs timeout.exe no specs extras.pif no specs

Process information

PID
CMD
Path
Indicators
Parent process
132C:\Users\admin\AppData\Local\Temp\649005\Extras.pif C:\Users\admin\AppData\Local\Temp\649005\Extras.pifexplorer.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 4
Modules
Images
c:\users\admin\appdata\local\temp\649005\extras.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
308timeout 5C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
504findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
644"C:\Windows\System32\cmd.exe" /k move Rm Rm.cmd & Rm.cmd & exitC:\Windows\SysWOW64\cmd.exeEovJmduARXsqIm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
720"C:\Users\admin\Desktop\AacAmbientLighting.exe" C:\Users\admin\Desktop\AacAmbientLighting.exeexplorer.exe
User:
admin
Company:
Moonchild Productions
Integrity Level:
MEDIUM
Description:
Pale Moon web browser
Exit code:
0
Version:
6.6.0
Modules
Images
c:\users\admin\desktop\aacambientlighting.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
736tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1028timeout 5C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1264tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1292timeout 5C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1328cmd /c copy /b Applicant + Valve + Bin + Reaction + Preceding + Ties 801511\n C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
29 889
Read events
29 835
Write events
54
Delete events
0

Modification events

(PID) Process:(7032) AacAmbientLighting.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7032) AacAmbientLighting.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7032) AacAmbientLighting.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7032) AacAmbientLighting.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2692) Appointments.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2692) Appointments.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2692) Appointments.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2692) Appointments.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2692) Appointments.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2692) Appointments.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
12
Suspicious files
117
Text files
89
Unknown types
4

Dropped files

PID
Process
Filename
Type
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Uponabr
MD5:4BBC3585B0E37BF75403CEC60A17DEC0
SHA256:B63FA5BDEFDAA0919E49BA4B23834A0DA5625025C58D6A8AAA5D6AC3FF2B0032
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Vicbinary
MD5:AE5595E93A093CD9F96D125C680F8DC8
SHA256:3B3E694F7F0F75DAA6C3CB5B790998099B46B122DD38997A8CB3D7099862A15D
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Naturallybinary
MD5:BD8099BB827B3048AACD0DCEBED8A034
SHA256:540A2922103562BE8E359B0D532B82D8A65AB94AA513B274247B353C91176592
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Jpgcsp
MD5:EAC1C5EE8DB6D7D23B5A2DA763A9433E
SHA256:193C77C9A4A542ADB1EA2AC3001C5B28D16717DCE2148044107EE0E33EA86256
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Theftbinary
MD5:9440F43EA442C65A0EFF8D58CFE672D1
SHA256:22A2D32144F56AEBC824FB3DFC2762B0B16D91A9F55B5872928646EDCB9CA965
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Valvebinary
MD5:838B0E582A99B19038A0857B7DB0C588
SHA256:27F6086F232015BCED6011ED9C5D109DD7244E9CB33DE0005ED97FCB3B4287C5
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Copbinary
MD5:8002B5DB58BDDA7AD73683F1DF7D6A6F
SHA256:286F88AE05BD8622DCDDE80705529340B28EEFE8546606CEA78CBD1C15E39EC9
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Agedbinary
MD5:B042AB8A19036DB81E1EA7DAA6F30D08
SHA256:7F9746E7DD60C643AF58A39CF8AD3BEAFAB424C58AACCE664B926215CDD839A4
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Cancelledtext
MD5:C0B82387727F8BF4862DB5A5DCE59215
SHA256:E9A47DDA2F440BC7FB029BC8C801C455D8F16AB95505A3D4F3BD7EBA919355D2
7032AacAmbientLighting.exeC:\Users\admin\AppData\Local\Temp\Flavorbinary
MD5:7613B1E338FAD672482240461F021DA7
SHA256:AC450B3CF524A758B78079D85AE03EFCF8E049AD7BD38FDD847F46EE2BDF289A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
14
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
91.108.107.41:443
https://officialdomain345.online/stub/UnRAR.dll
unknown
executable
304 Kb
GET
200
188.114.96.9:443
https://t2rl.pwarticles.pro/scar/data.rar
unknown
compressed
9.69 Mb
POST
200
104.208.16.92:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
204
92.123.104.63:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
188.114.97.9:443
https://t2rl.pwarticles.pro/scar/Runtie.exe
unknown
executable
5.45 Mb
GET
200
13.107.246.45:443
https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?5d4a2dcba33e699653c21a0699ed0e8d
unknown
image
43 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1180
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4820
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4128
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.52:443
Akamai International B.V.
DE
unknown
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
google.com
  • 216.58.206.78
whitelisted
AMpBwvvBIuHNOTwNi.AMpBwvvBIuHNOTwNi
unknown
self.events.data.microsoft.com
  • 20.42.65.90
whitelisted
officialdomain345.online
  • 91.108.107.41
unknown
t2rl.pwarticles.pro
  • 188.114.97.3
  • 188.114.96.3
unknown
zWjfqxpNSYvLaHiQsqX.zWjfqxpNSYvLaHiQsqX
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AacAmbientLighting.exe