File name:

Lmn.exe

Full analysis: https://app.any.run/tasks/c642870b-6838-44e9-a9b7-eb7547948f7d
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: January 30, 2025, 14:04:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

AED0C4405D6E0B816CBA085F77A91834

SHA1:

E0D21958E20DA6858076A8A9EDFA6145F6585BA3

SHA256:

59DD9884A1067DDCB77A07445D47C505B760A57062D8373D75868968435AD31F

SSDEEP:

98304:ZFrKdQ8S5ei1iKokGNTbm5KLcYjhaMFbQlWBBeyeOO6rAwcsLJNKLT:ZrYvCj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6860)
      • wscript.exe (PID: 8128)
      • wscript.exe (PID: 8172)

    • DCRAT has been detected (YARA)

      • componentfontperf.exe (PID: 6984)

    • Adds path to the Windows Defender exclusion list

      • componentfontperf.exe (PID: 6984)

  • SUSPICIOUS

    • Executed via WMI

      • schtasks.exe (PID: 7164)
      • schtasks.exe (PID: 7140)
      • schtasks.exe (PID: 5340)
      • schtasks.exe (PID: 1920)
      • schtasks.exe (PID: 6176)
      • schtasks.exe (PID: 3732)
      • schtasks.exe (PID: 1804)
      • schtasks.exe (PID: 6284)
      • schtasks.exe (PID: 3992)
      • schtasks.exe (PID: 6348)
      • schtasks.exe (PID: 1140)
      • schtasks.exe (PID: 5920)
      • schtasks.exe (PID: 6204)
      • schtasks.exe (PID: 6740)
      • schtasks.exe (PID: 6568)
      • schtasks.exe (PID: 3544)
      • schtasks.exe (PID: 6060)
      • schtasks.exe (PID: 3832)
      • schtasks.exe (PID: 5444)
      • schtasks.exe (PID: 5096)
      • schtasks.exe (PID: 1480)
      • schtasks.exe (PID: 6728)
      • schtasks.exe (PID: 4716)
      • schtasks.exe (PID: 4592)
      • schtasks.exe (PID: 3680)
      • schtasks.exe (PID: 3364)
      • schtasks.exe (PID: 3812)
      • schtasks.exe (PID: 4984)
      • schtasks.exe (PID: 4996)
      • schtasks.exe (PID: 3080)
      • schtasks.exe (PID: 3792)
      • schtasks.exe (PID: 5252)
      • schtasks.exe (PID: 6056)
      • schtasks.exe (PID: 5544)
      • schtasks.exe (PID: 3436)
      • schtasks.exe (PID: 5604)
      • schtasks.exe (PID: 4672)
      • schtasks.exe (PID: 6868)
      • schtasks.exe (PID: 6900)
      • schtasks.exe (PID: 6784)
      • schtasks.exe (PID: 5404)
      • schtasks.exe (PID: 2996)
      • schtasks.exe (PID: 7068)
      • schtasks.exe (PID: 2736)
      • schtasks.exe (PID: 3060)
      • schtasks.exe (PID: 1612)
      • schtasks.exe (PID: 6244)
      • schtasks.exe (PID: 4132)
      • schtasks.exe (PID: 3612)
      • schtasks.exe (PID: 6812)
      • schtasks.exe (PID: 6800)

    • Reads security settings of Internet Explorer

      • Lmn.exe (PID: 6780)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6860)
      • componentfontperf.exe (PID: 6984)

    • Executable content was dropped or overwritten

      • Lmn.exe (PID: 6780)
      • componentfontperf.exe (PID: 6984)
      • OfficeClickToRun.exe (PID: 7588)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6860)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6860)
      • componentfontperf.exe (PID: 6984)

    • The process creates files with name similar to system file names

      • componentfontperf.exe (PID: 6984)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 4984)
      • schtasks.exe (PID: 4996)
      • schtasks.exe (PID: 3792)

    • Starts POWERSHELL.EXE for commands execution

      • componentfontperf.exe (PID: 6984)

    • Script adds exclusion path to Windows Defender

      • componentfontperf.exe (PID: 6984)

    • The process executes VB scripts

      • OfficeClickToRun.exe (PID: 7588)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 8128)
      • wscript.exe (PID: 8172)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 3984)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 8128)

  • INFO

    • Checks supported languages

      • componentfontperf.exe (PID: 6984)
      • Lmn.exe (PID: 6780)

    • Reads the computer name

      • componentfontperf.exe (PID: 6984)
      • Lmn.exe (PID: 6780)

    • Reads the machine GUID from the registry

      • componentfontperf.exe (PID: 6984)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Lmn.exe (PID: 6780)

    • The sample compiled with english language support

      • Lmn.exe (PID: 6780)
      • componentfontperf.exe (PID: 6984)
      • OfficeClickToRun.exe (PID: 7588)

    • Reads Environment values

      • componentfontperf.exe (PID: 6984)

    • Process checks computer location settings

      • Lmn.exe (PID: 6780)

    • Creates files in the program directory

      • componentfontperf.exe (PID: 6984)

    • .NET Reactor protector has been detected

      • componentfontperf.exe (PID: 6984)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2164)
      • powershell.exe (PID: 6912)
      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 6800)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 6880)
      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 6804)
      • powershell.exe (PID: 4624)
      • powershell.exe (PID: 7152)
      • powershell.exe (PID: 6868)
      • powershell.exe (PID: 6872)

    • Create files in a temporary directory

      • componentfontperf.exe (PID: 6984)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6880)
      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 2164)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 6868)
      • powershell.exe (PID: 6872)
      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 3436)
      • powershell.exe (PID: 6912)
      • powershell.exe (PID: 6800)
      • powershell.exe (PID: 4624)
      • powershell.exe (PID: 6804)
      • powershell.exe (PID: 7152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(6984) componentfontperf.exe
C2 (1)http://195.3.223.79/Uploads/Universallocal9windows/PhpUploadsWordpress3/3/Process/multiSecure1update/8/MulticdnVideo6/Geo/updatedbTrafficLocal
Options
TagLMN
MutexDCR_MUTEX-Q8eXQdgRoiyqrMGB1gcY
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 114176
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
91
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start lmn.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT componentfontperf.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs w32tm.exe no specs officeclicktorun.exe wscript.exe no specs wscript.exe no specs lmn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\Recovery\OEM\firefox.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\Logs\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1612schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\perfCrt\System.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\MusNotification.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1920schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\TextInputHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2164"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomponentfontperf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\perfCrt\System.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
81 659
Read events
81 637
Write events
22
Delete events
0

Modification events

(PID) Process:(6780) Lmn.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6984) componentfontperf.exeKey:HKEY_CURRENT_USER\SOFTWARE\08b24d6e46b4461a1b02d207bb397bb5
Operation:writeName:08b24d6e46b4461a1b02d207bb397bb5
Value:
08b24d6e46b4461a1b02d207bb397bb5
(PID) Process:(6984) componentfontperf.exeKey:HKEY_CURRENT_USER\SOFTWARE\4837d7967e310e8e0f8bca34ef3de6d69c262552
Operation:writeName:e221d2146f9c2cf2edf7f1c7da24b38d5e342fe1
Value:
WyJDOlxccGVyZkNydFxcY29tcG9uZW50Zm9udHBlcmYuZXhlIiwiQzpcXFJlY292ZXJ5XFxPRU1cXHdpbmxvZ29uLmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzXFxXaW5kb3dzIE1haWxcXGVuLVVTXFxUZXh0SW5wdXRIb3N0LmV4ZSIsIkM6XFxXaW5kb3dzXFxTcGVlY2hcXE11c05vdGlmaWNhdGlvbi5leGUiLCJDOlxcUmVjb3ZlcnlcXE9FTVxcZmlyZWZveC5leGUiLCJDOlxcUHJvZ3JhbSBGaWxlcyAoeDg2KVxcV2luZG93cyBTaWRlYmFyXFxHYWRnZXRzXFxzaWhvc3QuZXhlIiwiQzpcXFByb2dyYW0gRmlsZXNcXFdpbmRvd3MgTlRcXFRleHRJbnB1dEhvc3QuZXhlIiwiQzpcXFJlY292ZXJ5XFxMb2dzXFxSdW50aW1lQnJva2VyLmV4ZSIsIkM6XFxwZXJmQ3J0XFxkd20uZXhlIiwiQzpcXGZvdW5kLjAwMFxcZGlyMDAwMS5jaGtcXE9mZmljZUNsaWNrVG9SdW4uZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXE11c2ljXFxTZWFyY2hBcHAuZXhlIiwiQzpcXGZvdW5kLjAwMFxcZGlyMDAwMS5jaGtcXGNvbXBvbmVudGZvbnRwZXJmLmV4ZSIsIkM6XFxSZWNvdmVyeVxcT0VNXFxleHBsb3Jlci5leGUiLCJDOlxcUHJvZ3JhbSBGaWxlc1xcV2luZG93cyBTaWRlYmFyXFxTaGFyZWQgR2FkZ2V0c1xcZXhwbG9yZXIuZXhlIiwiQzpcXHBlcmZDcnRcXGNtZC5leGUiLCJDOlxcVXNlcnNcXERlZmF1bHQgVXNlclxcU3lzdGVtU2V0dGluZ3MuZXhlIiwiQzpcXHBlcmZDcnRcXFN5c3RlbS5leGUiLCJDOlxcZm91bmQuMDAwXFxkaXJfMDAwMDAwMDIuY2hrXFxNZW1vcnkgQ29tcHJlc3Npb24uZXhlIl0=
(PID) Process:(6984) componentfontperf.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(6984) componentfontperf.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(7588) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(7588) OfficeClickToRun.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7588) OfficeClickToRun.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7588) OfficeClickToRun.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7588) OfficeClickToRun.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
89
Suspicious files
2
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
6780Lmn.exeC:\perfCrt\DyAN95wmB6Qtyt8S.vbebinary
MD5:891335A7849A119090539CDDCBE8D69A
SHA256:E5735E58F072495AB9E091D9917BC306204C89DD68F64B583C5219E741168628
6984componentfontperf.exeC:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exeexecutable
MD5:1AF88E2387C5C3D52FF9BA6EB77A1EC3
SHA256:B125D34B8CCEC716087DF371A77A693EDDC8FB786C670A3A5E80A32F39A140F1
6984componentfontperf.exeC:\Windows\Speech\MusNotification.exeexecutable
MD5:1AF88E2387C5C3D52FF9BA6EB77A1EC3
SHA256:B125D34B8CCEC716087DF371A77A693EDDC8FB786C670A3A5E80A32F39A140F1
6984componentfontperf.exeC:\Program Files\Windows Mail\en-US\22eafd247d37c3text
MD5:6F1F0D5A41685A7E4259451461D30460
SHA256:59BFAA1E5856DBF894797F09EEB63ED362BD7711C9E4C16C1616F1C707EB6DC4
6984componentfontperf.exeC:\Recovery\OEM\0fc223bdacedc3text
MD5:4F6DCCB60E8AAFC1BFF7CEC0C211A942
SHA256:53F8A8EFEEB604973C3A02681599B8C7B03B3DAACD1A51422443315B7BF40A16
6984componentfontperf.exeC:\Program Files\Windows NT\TextInputHost.exeexecutable
MD5:1AF88E2387C5C3D52FF9BA6EB77A1EC3
SHA256:B125D34B8CCEC716087DF371A77A693EDDC8FB786C670A3A5E80A32F39A140F1
6984componentfontperf.exeC:\Windows\Speech\aa97147c4c782dtext
MD5:9DE7019106ECDA4D3A41A1442FB6DAC5
SHA256:B5964EBFE729E114576109F0BDECC90F29FC39245FC41EF9D8211584390AEBAA
6984componentfontperf.exeC:\perfCrt\6cb0b6c459d5d3text
MD5:EBE2E088FBB25F6475B9FC4290D647A7
SHA256:EAFBA24F9A8A3643DECF7F1FB2F64BAE3515F7809FDC747865F1681B8F1C526F
6984componentfontperf.exeC:\Recovery\Logs\RuntimeBroker.exeexecutable
MD5:1AF88E2387C5C3D52FF9BA6EB77A1EC3
SHA256:B125D34B8CCEC716087DF371A77A693EDDC8FB786C670A3A5E80A32F39A140F1
6984componentfontperf.exeC:\Program Files\Windows NT\22eafd247d37c3text
MD5:57A33801575689ADC3FB9F88359630F2
SHA256:1935084BC5B3CBC928CDFBC0884F4AA8017F6FF8B2DE6C22E53A1D573A8AF798
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
32
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6428
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5256
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5256
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
536
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 95.101.149.131
  • 23.218.209.163
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
  • 2.21.65.153
whitelisted
google.com
  • 142.250.185.174
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.64
  • 40.126.31.128
  • 20.190.159.68
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lmn.exe