File name:

l3.exe

Full analysis: https://app.any.run/tasks/73be7abe-fe79-406d-ba5b-e0a7d05b272e
Verdict: Malicious activity
Analysis date: April 10, 2025, 00:55:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
raccoonclipper
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

A77C1C41FDDCA9C973B2162BACE0F990

SHA1:

9D6EF6C492222548E1F6A6B5F9656D063F9C304E

SHA256:

2820B924640B10EB028A6FB30A77DB1D3C53077E368FDF204FA914306E1ECC3A

SSDEEP:

98304:Q2m5OHX+Z1y0mPytqVkuIzkY6EN1DqnVEKa9RB+amaIeCJfmZGG8riVq309nQJeM:iBhx3Kcn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • l3.exe (PID: 5680)
      • oobeldr.exe (PID: 7892)

    • RACCOONCLIPPER has been detected (YARA)

      • oobeldr.exe (PID: 7892)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • l3.exe (PID: 5680)

    • The process executes via Task Scheduler

      • oobeldr.exe (PID: 7892)

  • INFO

    • Checks supported languages

      • l3.exe (PID: 5680)
      • oobeldr.exe (PID: 7892)

    • Creates files or folders in the user directory

      • l3.exe (PID: 5680)

    • Reads the software policy settings

      • slui.exe (PID: 7380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RaccoonClipper

(PID) Process(7892) oobeldr.exe
Wallets (21)44y2ostLsCHhZumgg5gWsAjAs7YXqrfUL9ZNnnF2eDTpXF3ePniVsh84XV8L3opvhtM5c7qCVKuNcQU6sJDdVnVuJo8iMDo
RKVrxLdwd96dYWWDiSPWgxFFMptKWk3hJC
addr1qyt44dydvv3nv0mq4wyvfuraau7tegxcpcsnlla9nl6tx4qht26g6cerxclkp2ugcnc8mmeuhjsdsr3p8ll6t8l5kd2q9qm0nj
cosmos1vhjg2ru7f4rj0f2ufeks2rkzjnxxtjpu7w8j80
AR5fY8jPcDfJUo354vs9xBDhUY34DGd273
r4qZSfz3su9M9i3vCjkyekgkrn9nDPVUWs
8387rcPNz8SRX6pYXgdxCZg3VMLFwtdJB3Z9LeX8Ge2n
ltc1q3lga9nvsq082z0nymtv6ta5zaa7f5hc9gqt4wh
ronin:7dd689b469effa35084b690b72c9e8b56535a0ee
t1YyT26xv4ZAHWTxqqHUoWcW9NhZ7SQoYMj
THob3fXbiKVHQgtYDkU1TzFbRfLET7SgGU
Ae2tdPwUPEYyW788tJcg85Ki7GLaaccd8a1pntDWTuYwXJ3aH5STciRSi4B
XodDVk8GrQasJmGovaBDtC9k6Zd8uM4h8U
156UGALjatSQnY7wy4LruP6CEE5VoczdZE
bc1qcv6mdq9yqp6nxnattluvun429jaq2qztwrgfjv
bnb1yjequl3q4j30w6xjqh2ny7p72t3r4qu5vqr5wl
t1aqpmg1REJ9VxjqJfh85MZEAxyjuPHn4mM
BNVTORWZ4FKK2PXHJ7VX34WF24UE43UUULRGYKPQKBZ2JYWQEEQBCFYJ5Y
DDR9LzezMwV5Ew7ZD1Dwm6EQqeM4ZYR6ux
0x398F9a102Fd5ebEc7cc10389D974A0cEd5d8849F
LNpwdvdBjv5aHWGcz6myLZHRFMRsLY6b45
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:07 14:26:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 6144
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x66f75c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start l3.exe sppextcomobj.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe #RACCOONCLIPPER oobeldr.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5680"C:\Users\admin\AppData\Local\Temp\l3.exe" C:\Users\admin\AppData\Local\Temp\l3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\l3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7288C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7304/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"C:\Windows\SysWOW64\schtasks.exel3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7380"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7892"C:\Users\admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"C:\Users\admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\protect\oobeldr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
RaccoonClipper
(PID) Process(7892) oobeldr.exe
Wallets (21)44y2ostLsCHhZumgg5gWsAjAs7YXqrfUL9ZNnnF2eDTpXF3ePniVsh84XV8L3opvhtM5c7qCVKuNcQU6sJDdVnVuJo8iMDo
RKVrxLdwd96dYWWDiSPWgxFFMptKWk3hJC
addr1qyt44dydvv3nv0mq4wyvfuraau7tegxcpcsnlla9nl6tx4qht26g6cerxclkp2ugcnc8mmeuhjsdsr3p8ll6t8l5kd2q9qm0nj
cosmos1vhjg2ru7f4rj0f2ufeks2rkzjnxxtjpu7w8j80
AR5fY8jPcDfJUo354vs9xBDhUY34DGd273
r4qZSfz3su9M9i3vCjkyekgkrn9nDPVUWs
8387rcPNz8SRX6pYXgdxCZg3VMLFwtdJB3Z9LeX8Ge2n
ltc1q3lga9nvsq082z0nymtv6ta5zaa7f5hc9gqt4wh
ronin:7dd689b469effa35084b690b72c9e8b56535a0ee
t1YyT26xv4ZAHWTxqqHUoWcW9NhZ7SQoYMj
THob3fXbiKVHQgtYDkU1TzFbRfLET7SgGU
Ae2tdPwUPEYyW788tJcg85Ki7GLaaccd8a1pntDWTuYwXJ3aH5STciRSi4B
XodDVk8GrQasJmGovaBDtC9k6Zd8uM4h8U
156UGALjatSQnY7wy4LruP6CEE5VoczdZE
bc1qcv6mdq9yqp6nxnattluvun429jaq2qztwrgfjv
bnb1yjequl3q4j30w6xjqh2ny7p72t3r4qu5vqr5wl
t1aqpmg1REJ9VxjqJfh85MZEAxyjuPHn4mM
BNVTORWZ4FKK2PXHJ7VX34WF24UE43UUULRGYKPQKBZ2JYWQEEQBCFYJ5Y
DDR9LzezMwV5Ew7ZD1Dwm6EQqeM4ZYR6ux
0x398F9a102Fd5ebEc7cc10389D974A0cEd5d8849F
LNpwdvdBjv5aHWGcz6myLZHRFMRsLY6b45
7912/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"C:\Windows\SysWOW64\schtasks.exeoobeldr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
7920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8008C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
653
Read events
653
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5680l3.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeexecutable
MD5:A77C1C41FDDCA9C973B2162BACE0F990
SHA256:2820B924640B10EB028A6FB30A77DB1D3C53077E368FDF204FA914306E1ECC3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7744
SIHClient.exe
GET
200
23.38.81.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7744
SIHClient.exe
GET
200
23.38.81.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7000
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7744
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7744
SIHClient.exe
23.38.81.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.38.81.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.128
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.4
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
l3.exe