File name:

lawn.exe

Full analysis: https://app.any.run/tasks/a60b74c8-db6b-40a0-9b32-ad5cd027e68c
Verdict: Malicious activity
Analysis date: April 26, 2025, 14:13:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nodejs
evasion
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 4 sections
MD5:

E1B7D32B92F0F6D983B465E46C14F3CD

SHA1:

B7F367A2E2D912170488B2678B5613247CB019C2

SHA256:

88D8C3E9143A5DEB47EEA2FBF37E39672CEBCA6A96391E1C92F2660758F17B26

SSDEEP:

768:TG/aLb2UYZLHQuYeckRkwVnEx5mwVvA1:TG/u+/HcWXnExxe1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • reset.exe (PID: 5568)
      • sfc.exe (PID: 5428)

    • Starts Visual C# compiler

      • lawn.exe (PID: 2848)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • lawn.exe (PID: 2848)
      • ServiceModelReg.exe (PID: 3056)
      • ComSvcConfig.exe (PID: 3764)

    • Reads the Internet Settings

      • lawn.exe (PID: 2848)
      • sipnotify.exe (PID: 1032)
      • Skype.exe (PID: 1336)

    • Reads Microsoft Outlook installation path

      • lawn.exe (PID: 2848)

    • Process drops legitimate windows executable

      • vcredist_x86.exe (PID: 2868)
      • vcredist_x86.exe (PID: 5176)
      • Skype-Setup.tmp (PID: 4280)
      • setup.exe (PID: 2828)

    • Executable content was dropped or overwritten

      • vcredist_x86.exe (PID: 2868)
      • RTLCPL.EXE (PID: 1892)
      • maintenanceservice_installer.exe (PID: 2656)
      • GoogleUpdateSetup.exe (PID: 3972)
      • Skype-Setup.exe (PID: 1496)
      • vcredist_x86.exe (PID: 5176)
      • Skype-Setup.exe (PID: 4164)
      • Skype-Setup.tmp (PID: 4280)
      • setup.exe (PID: 2828)

    • Reads settings of System Certificates

      • ServiceModelReg.exe (PID: 3056)
      • ComSvcConfig.exe (PID: 3764)
      • TsWpfWrp.exe (PID: 1828)

    • Application launched itself

      • Skype.exe (PID: 1336)
      • CompatTelRunner.exe (PID: 5544)
      • MRT-KB890830.exe (PID: 3008)

    • Searches for installed software

      • vcredist_x86.exe (PID: 2868)

    • Loads DLL from Mozilla Firefox

      • crashreporter.exe (PID: 604)

    • Uses QWINSTA.EXE to read information about user sessions on remote desktops

      • lawn.exe (PID: 2848)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • maintenanceservice_installer.exe (PID: 2656)

    • Uses SYSTEMINFO.EXE to read the environment

      • lawn.exe (PID: 2848)

    • Uses RUNDLL32.EXE to load library

      • SOUNDMAN.EXE (PID: 628)

    • Starts SC.EXE for service management

      • lawn.exe (PID: 2848)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4136)

    • Uses WEVTUTIL.EXE to event management in Windows

      • lawn.exe (PID: 2848)

    • Uses powercfg.exe to modify the power settings

      • lawn.exe (PID: 2848)

    • Checks for external IP

      • CCUpdate.exe (PID: 5240)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 4280)

    • Starts CMD.EXE for commands execution

      • lawn.exe (PID: 2848)

    • Uses ICACLS.EXE to modify access control lists

      • lawn.exe (PID: 2848)

    • Uses QUSER.EXE to read information about current user sessions

      • lawn.exe (PID: 2848)

    • Process uses IPCONFIG to get network configuration information

      • lawn.exe (PID: 2848)

    • The process drops C-runtime libraries

      • Skype-Setup.tmp (PID: 4280)

    • Starts another process probably with elevated privileges via RUNAS.EXE

      • runas.exe (PID: 4020)

    • Suspicious use of NETSH.EXE

      • lawn.exe (PID: 2848)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 5376)

  • INFO

    • Checks supported languages

      • ehprivjob.exe (PID: 1484)
      • lawn.exe (PID: 2848)
      • Skype.exe (PID: 1336)
      • SBEServer.exe (PID: 312)
      • MSTORDB.EXE (PID: 3064)
      • ose.exe (PID: 984)
      • AcroRd32Info.exe (PID: 676)
      • ditrace.exe (PID: 2204)
      • Skype.exe (PID: 3244)
      • ONELEV.EXE (PID: 3632)
      • vcredist_x86.exe (PID: 2868)
      • ServiceModelReg.exe (PID: 3056)
      • ose.exe (PID: 2984)
      • Skype.exe (PID: 4012)
      • ehsched.exe (PID: 3084)
      • Skype.exe (PID: 3196)
      • FlickLearningWizard.exe (PID: 3284)
      • DataSvcUtil.exe (PID: 3292)
      • ComSvcConfig.exe (PID: 3764)
      • unpack200.exe (PID: 4068)
      • DW20.EXE (PID: 3984)
      • ose.exe (PID: 1772)
      • crashreporter.exe (PID: 604)
      • Wkconv.exe (PID: 2204)
      • RTLCPL.EXE (PID: 1892)
      • GoogleUpdateCore.exe (PID: 2984)
      • tzupd.exe (PID: 3904)
      • wmpenc.exe (PID: 3412)

    • Reads the machine GUID from the registry

      • ehprivjob.exe (PID: 1484)
      • SBEServer.exe (PID: 312)
      • MSTORDB.EXE (PID: 3064)
      • ONELEV.EXE (PID: 3632)
      • ServiceModelReg.exe (PID: 3056)
      • ComSvcConfig.exe (PID: 3764)
      • DataSvcUtil.exe (PID: 3292)
      • wmpenc.exe (PID: 3412)

    • Reads the computer name

      • lawn.exe (PID: 2848)
      • SBEServer.exe (PID: 312)
      • MSTORDB.EXE (PID: 3064)
      • Skype.exe (PID: 1336)
      • ONELEV.EXE (PID: 3632)
      • ServiceModelReg.exe (PID: 3056)
      • Skype.exe (PID: 4012)
      • vcredist_x86.exe (PID: 2868)
      • Skype.exe (PID: 3196)
      • ehsched.exe (PID: 3084)
      • ComSvcConfig.exe (PID: 3764)
      • DataSvcUtil.exe (PID: 3292)
      • tzupd.exe (PID: 3904)
      • GoogleUpdateCore.exe (PID: 2984)
      • RTLCPL.EXE (PID: 1892)
      • wmpenc.exe (PID: 3412)

    • Reads Environment values

      • MSTORDB.EXE (PID: 3064)
      • Skype.exe (PID: 1336)

    • Reads Microsoft Office registry keys

      • MSTORDB.EXE (PID: 3064)

    • Reads product name

      • Skype.exe (PID: 1336)

    • The sample compiled with english language support

      • vcredist_x86.exe (PID: 2868)
      • RTLCPL.EXE (PID: 1892)
      • maintenanceservice_installer.exe (PID: 2656)
      • GoogleUpdateSetup.exe (PID: 3972)
      • vcredist_x86.exe (PID: 5176)
      • Skype-Setup.tmp (PID: 4280)
      • setup.exe (PID: 2828)

    • Create files in a temporary directory

      • vcredist_x86.exe (PID: 2868)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 1336)
      • IMJPDCT.EXE (PID: 1076)
      • Wkconv.exe (PID: 2204)

    • Reads the software policy settings

      • ServiceModelReg.exe (PID: 3056)
      • ComSvcConfig.exe (PID: 3764)
      • TsWpfWrp.exe (PID: 1828)

    • Application launched itself

      • chrome.exe (PID: 3268)
      • msedge.exe (PID: 2368)

    • Checks transactions between databases Windows and Oracle

      • ComSvcConfig.exe (PID: 3764)

    • Node.js compiler has been detected

      • Skype.exe (PID: 1336)

    • Reads security settings of Internet Explorer

      • TsWpfWrp.exe (PID: 1828)

    • Reads Internet Explorer settings

      • OUTLOOK.EXE (PID: 3144)

    • The sample compiled with arabic language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with bulgarian language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with czech language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with german language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with french language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with Indonesian language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with Italian language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with japanese language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • Reads CPU info

      • Skype.exe (PID: 1336)

    • The sample compiled with polish language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with portuguese language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with korean language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with slovak language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with russian language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with swedish language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with turkish language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • The sample compiled with chinese language support

      • GoogleUpdateSetup.exe (PID: 3972)

    • Compiled with Borland Delphi (YARA)

      • RTLCPL.EXE (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:24 19:52:04+00:00
ImageFileCharacteristics: Executable, Bytes reversed lo, 32-bit
PEType: PE32
LinkerVersion: 2.18
CodeSize: 23040
InitializedDataSize: 3072
UninitializedDataSize: -
EntryPoint: 0x1834
OSVersion: 1.11
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
642
Monitored processes
412
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start lawn.exe no specs ehprivjob.exe no specs skype.exe sbeserver.exe no specs sipnotify.exe mcbuilder.exe no specs ieetwcollector.exe no specs mstordb.exe no specs regedit.exe no specs regedit.exe ose.exe no specs acrord32info.exe no specs ditrace.exe no specs systempropertiesdataexecutionprevention.exe no specs systempropertiesdataexecutionprevention.exe skype.exe cliconfg.exe no specs cliconfg.exe onelev.exe no specs onelev.exe outlook.exe vcredist_x86.exe net1.exe no specs skype.exe no specs chrome.exe datasvcutil.exe no specs chrome.exe no specs flicklearningwizard.exe no specs tswbprxy.exe no specs tzutil.exe no specs servicemodelreg.exe no specs ose.exe no specs rwinsta.exe no specs skype.exe no specs imjpdct.exe no specs unpack200.exe no specs ehsched.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs comsvcconfig.exe no specs crashreporter.exe no specs dw20.exe no specs autochk.exe no specs dwwin.exe no specs ose.exe no specs chrome.exe no specs chrome.exe no specs mdsched.exe no specs skype-setup.exe chrome.exe no specs mdsched.exe imjpmgr.exe no specs printbrm.exe no specs tstheme.exe no specs chrome.exe no specs wkconv.exe no specs setupsqm.exe no specs setupsqm.exe rtlcpl.exe chrome.exe no specs googleupdatecore.exe no specs tzupd.exe no specs lsass.exe no specs chrome.exe no specs chrome.exe no specs utilman.exe no specs qwinsta.exe no specs tswpfwrp.exe no specs wmpenc.exe no specs maintenanceservice_installer.exe no specs rtbk.exe no specs maintenanceservice_installer.exe googleupdatesetup.exe maintenanceservice_tmp.exe no specs wabmig.exe no specs imjppdmg.exe no specs javaw.exe no specs dialer.exe no specs fixmapi.exe no specs netiougc.exe no specs regasm.exe no specs systeminfo.exe no specs ntvdm.exe no specs odbcad32.exe no specs odbcad32.exe soundman.exe no specs rundll32.exe no specs vstoinstaller.exe no specs sc.exe no specs skypeicon.exe no specs elevation_service.exe aspnet_state.exe no specs icacls.exe no specs addinutil.exe no specs minidump-analyzer.exe no specs imeklmg.exe no specs wevtutil.exe no specs powercfg.exe no specs logman.exe no specs migautoplay.exe no specs relpost.exe no specs acrotextextractor.exe no specs label.exe no specs wsqmcons.exe no specs java.exe no specs reagentc.exe no specs makecab.exe no specs fvenotify.exe no specs rasautou.exe no specs fsquirt.exe no specs ielowutil.exe no specs msinfo32.exe no specs arp.exe no specs steamservice.exe no specs steamservice.exe vcredist_x86.exe ccupdate.exe no specs ccupdate.exe selfcert.exe no specs tcmsetup.exe no specs tcmsetup.exe eventvwr.exe no specs eventvwr.exe mmc.exe wsatconfig.exe no specs servertool.exe no specs skype.exe no specs skype-setup.tmp no specs reset.exe no specs atbroker.exe no specs gettingstarted.exe no specs control.exe no specs dw20.exe no specs dwwin.exe no specs addinprocess.exe no specs upnpcont.exe no specs chkdsk.exe no specs wfservicesreg.exe no specs winload.exe no specs chkntfs.exe no specs wmpnscfg.exe no specs skype.exe no specs ieexec.exe alcrmv.exe no specs dw20.exe no specs skype-setup.exe memtest.exe no specs ntvdm.exe no specs skype-setup.tmp vmicsvc.exe no specs snippingtool.exe no specs napstat.exe no specs taskkill.exe no specs mrt-kb890830.exe no specs ksetup.exe no specs ksetup.exe ose.exe no specs tpminit.exe no specs tpminit.exe services.exe no specs filezilla.exe no specs dwtrig20.exe no specs setup.exe no specs setup.exe dfsvc.exe no specs hwrreg.exe no specs dism.exe no specs fzsftp.exe no specs keytool.exe no specs cacls.exe no specs cmd.exe no specs quser.exe no specs msaccess.exe no specs onelev.exe no specs onelev.exe iscsicli.exe no specs iscsicli.exe mcupdate.exe acrord32info.exe no specs wmpconfig.exe no specs wmpconfig.exe chgusr.exe no specs dw20.exe no specs unrar.exe no specs graph.exe no specs kinit.exe no specs wbadmin.exe no specs csrss.exe no specs installutil.exe no specs eula.exe no specs efsui.exe no specs speechuxtutorial.exe no specs notepad++.exe fontview.exe no specs help.exe no specs xamlviewer_v0300.exe flashutil32_32_0_0_453_pepper.exe no specs rrinstaller.exe no specs dw20.exe no specs rrinstaller.exe mctadmin.exe no specs msg.exe no specs rmactivate_ssp.exe no specs infocard.exe no specs certenrollctrl.exe no specs diskperf.exe no specs mighost.exe no specs compattelrunner.exe no specs regasm.exe no specs ntvdm.exe no specs compattelrunner.exe no specs jsc.exe no specs ntvdm.exe no specs odeploy.exe no specs namecontrolserver.exe no specs taskmgr.exe no specs windowsanytimeupgradeui.exe no specs imepadsv.exe no specs addinprocess.exe no specs smsvchost.exe no specs eudcedit.exe no specs eudcedit.exe mip.exe no specs loadmxf.exe no specs ie_to_edge_stub.exe no specs wtvconverter.exe fxssvc.exe no specs windowsanytimeupgrade.exe no specs windowsanytimeupgrade.exe msedge.exe no specs convertinkstore.exe no specs msedge.exe no specs aspnet_compiler.exe no specs mrt-kb890830.exe mcrmgr.exe no specs wab.exe no specs logonui.exe no specs imtcprop.exe no specs msedge.exe no specs query.exe no specs msedge.exe no specs imecfmui.exe no specs msedge.exe no specs promo.exe no specs systempropertieshardware.exe no specs msedge.exe no specs msedge.exe no specs systempropertieshardware.exe googleupdate.exe no specs onelev.exe no specs onelev.exe ntvdm.exe no specs resmon.exe no specs sigverif.exe no specs winload.exe no specs tracerpt.exe no specs imespbld.exe no specs dispdiag.exe no specs wbengine.exe no specs rar.exe no specs oarpmany.exe no specs netsh.exe no specs synchost.exe no specs dfdwiz.exe no specs devicedisplayobjectprovider.exe no specs dwtrig20.exe no specs flashutil32_32_0_0_453_plugin.exe no specs default-browser-agent.exe no specs rmiregistry.exe no specs ccleanerperformanceoptimizerservice.exe no specs scanpst.exe no specs wextract.exe no specs oarpmany.exe no specs oarpmany.exe acrotextextractor.exe no specs replace.exe no specs steamservicetmp.exe no specs steamservicetmp.exe imkrmig.exe no specs caspol.exe no specs powerpnt.exe no specs credwiz.exe no specs syskey.exe no specs syskey.exe dismhost.exe no specs bfsvc.exe no specs speechuxwiz.exe no specs imecmnt.exe no specs tscon.exe no specs runas.exe no specs ipconfig.exe no specs systempropertiesprotection.exe no specs systempropertiesprotection.exe netbtugc.exe no specs setup.exe no specs pnputil.exe no specs irftp.exe no specs wimserv.exe no specs msbuild.exe no specs choice.exe no specs sfc.exe no specs imccphr.exe no specs ngen.exe no specs aspnet_wp.exe no specs rekeywiz.exe no specs isoburn.exe no specs aspnet_state.exe no specs imjpuex.exe no specs control.exe no specs cookie_exporter.exe no specs systempropertiescomputername.exe no specs systempropertiescomputername.exe gup.exe no specs hdwwiz.exe no specs hdwwiz.exe imjpdadm.exe no specs autoconv.exe no specs dwtrig20.exe no specs rdrleakdiag.exe no specs oarpmany.exe no specs oarpmany.exe dwtrig20.exe no specs iediagcmd.exe no specs dw20.exe no specs hh.exe no specs raserver.exe no specs presentationfontcache.exe no specs reg.exe no specs odeploy.exe no specs oxpsconverter.exe no specs calc.exe no specs caspol.exe no specs onenotem.exe no specs winlogon.exe no specs csrstub.exe no specs setup_wm.exe no specs infdefaultinstall.exe no specs infdefaultinstall.exe fulltrustnotifier.exe no specs msconfig.exe no specs msconfig.exe defrag.exe no specs addinprocess32.exe no specs javaws.exe no specs tapiunattend.exe no specs setuputility.exe no specs setuputility.exe ccleaner.exe rasdial.exe no specs gpresult.exe no specs relog.exe no specs javaw.exe no specs bthudtask.exe no specs bthudtask.exe policytool.exe no specs mmc.exe no specs mmc.exe doskey.exe no specs uninstall.exe no specs msiexec.exe no specs msoxmled.exe no specs osk.exe no specs osk.exe arh.exe no specs dllhost.exe no specs printfilterpipelinesvc.exe no specs applaunch.exe no specs aspnet_regbrowsers.exe no specs lpremove.exe no specs inkwatson.exe no specs p2phost.exe no specs charmap.exe no specs cipher.exe no specs javaw.exe no specs chgport.exe no specs rdrcef.exe no specs vpreview.exe no specs csc.exe no specs iexplore.exe no specs audit.exe no specs acrord32.exe no specs servicemodelreg.exe no specs smsvchost.exe no specs jaureg.exe no specs powershell_ise.exe no specs autofmt.exe no specs dwtrig20.exe no specs at.exe no specs gpupdate.exe no specs oarpmany.exe no specs oarpmany.exe taskhost.exe no specs recdisc.exe no specs recdisc.exe ilasm.exe no specs reader_sl.exe no specs winmail.exe no specs javaws.exe no specs forfiles.exe no specs winmgmt.exe no specs xlog.exe no specs comrepl.exe no specs dcomcnfg.exe no specs cmdl32.exe no specs wiaacmgr.exe no specs mpcmdrun.exe no specs rpcping.exe no specs ccleanerbugreport.exe no specs wmplayer.exe no specs ehrec.exe no specs computerdefaults.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Windows\System32\lpremove.exe" C:\Windows\System32\lpremove.exelawn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MUI Language pack cleanup
Exit code:
3221225794
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\lpremove.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
128"C:\Windows\System32\bthudtask.exe" C:\Windows\System32\bthudtask.exelawn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Bluetooth Uninstall Device Task
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bthudtask.exe
c:\windows\system32\ntdll.dll
148"C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exelawn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change Data Execution Prevention Settings
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systempropertiesdataexecutionprevention.exe
c:\windows\system32\ntdll.dll
312"C:\Windows\ehome\CreateDisc\SBEServer.exe" C:\Windows\ehome\CreateDisc\SBEServer.exelawn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SBEServer
Version:
0.9.0.0
Modules
Images
c:\windows\ehome\createdisc\sbeserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
580"C:\Program Files\Common Files\Steam\SteamServiceTmp.exe" C:\Program Files\Common Files\Steam\SteamServiceTmp.exelawn.exe
User:
admin
Company:
Valve Corporation
Integrity Level:
MEDIUM
Description:
Steam Client Service
Exit code:
3221226540
Version:
04.69.34.61
Modules
Images
c:\program files\common files\steam\steamservicetmp.exe
c:\windows\system32\ntdll.dll
604"C:\Program Files\Mozilla Firefox\crashreporter.exe" C:\Program Files\Mozilla Firefox\crashreporter.exelawn.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
1073807364
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\crashreporter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
628"C:\Windows\SOUNDMAN.EXE" C:\Windows\SOUNDMAN.EXElawn.exe
User:
admin
Company:
Realtek Semiconductor Corp.
Integrity Level:
MEDIUM
Description:
Realtek Sound Manager
Exit code:
1073807364
Version:
6, 0, 0, 5
Modules
Images
c:\windows\soundman.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
676"C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exelawn.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
255
Version:
15.7.20033.133275
Modules
Images
c:\windows\installer\$patchcache$\managed\68ab67ca7da73301b744caf070e41400\15.7.20033\acrord32info.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcp120.dll
c:\windows\system32\msvcr120.dll
872"C:\Windows\System32\fixmapi.exe" C:\Windows\System32\fixmapi.exelawn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
FIXMAPI 1.0 MAPI Repair Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\fixmapi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
872"C:\Windows\System32\SystemPropertiesHardware.exe" C:\Windows\System32\SystemPropertiesHardware.exe
lawn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Hardware Settings
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systempropertieshardware.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sysdm.cpl
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
69 653
Read events
68 941
Write events
658
Delete events
54

Modification events

(PID) Process:(2848) lawn.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2848) lawn.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2848) lawn.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2848) lawn.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3064) MSTORDB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Clip OrganizerDB\Resiliency\StartupItems
Operation:writeName:$%
Value:
24252000F80B0000010000000000000000000000
(PID) Process:(3064) MSTORDB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3064) MSTORDB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3064) MSTORDB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3064) MSTORDB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3064) MSTORDB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
Executable files
203
Suspicious files
173
Text files
122
Unknown types
0

Dropped files

PID
Process
Filename
Type
3144OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR489D.tmp.cvr
MD5:
SHA256:
3268chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF185147.TMP
MD5:
SHA256:
3268chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
1032sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\en-us.htmlhtml
MD5:5001C5247AF7E35AC35ACE61B87E8040
SHA256:2920ED0DDFE475884703A5AE7B835F40398E509AA26B52A8DDD7F25DCD4B3D2E
1032sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\metadata.jsonbinary
MD5:253EDC8EC7674BD78293FF3B21866074
SHA256:51C3A033F0160A30C1773F1E5A9CD01AB018B151EDA1BB64D0226B2437106A56
1032sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\default.cabcompressed
MD5:340674F6A3D1562E28A011EC11E40D83
SHA256:259880E2346D986ABEED46AA9C2917C53E969AAE6927F2CA0A2AD0967736DF98
1032sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\script.jstext
MD5:A2682382967C351F7ED21762F9E5DE9E
SHA256:36B1D26F1EC69685648C0528C2FCE95A3C2DBECF828CDFA4A8B4239A15B644A2
2868vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dllexecutable
MD5:A52E5220EFB60813B31A82D101A97DCB
SHA256:E7C8E7EDD9112137895820E789BAAAECA41626B01FB99FEDE82968DDB66D02CF
1032sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\microsoft-logo.pngimage
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4
SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013
1032sipnotify.exeC:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\main.jpgimage
MD5:C8BCC2041232DA45C1367F1FEED51370
SHA256:C0EC6771F923E7B85F6E2E7AA58D6BA51D322E78F53CEE8108DBBFD352BE7B25
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
42
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5240
CCUpdate.exe
GET
200
96.16.53.152:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/patches.ini
unknown
whitelisted
1032
sipnotify.exe
HEAD
503
23.38.21.95:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133901539988270000
unknown
whitelisted
3144
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
unknown
whitelisted
5240
CCUpdate.exe
HEAD
200
96.16.53.156:80
http://emupdate.avcdn.net/files/emupdate/pong.txt
unknown
whitelisted
5240
CCUpdate.exe
GET
200
96.16.53.152:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/updates.xml
unknown
whitelisted
HEAD
503
23.38.21.95:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133901540722920000
unknown
whitelisted
5240
CCUpdate.exe
GET
200
96.16.53.152:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/ccupdate061_mv.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1032
sipnotify.exe
23.38.21.95:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
NL
whitelisted
3268
chrome.exe
239.255.255.250:1900
whitelisted
3780
chrome.exe
142.251.36.3:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3780
chrome.exe
74.125.133.84:443
accounts.google.com
GOOGLE
US
whitelisted
3780
chrome.exe
142.251.36.4:443
www.google.com
GOOGLE
US
whitelisted
3780
chrome.exe
142.250.179.163:443
www.gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.206
whitelisted
query.prod.cms.rt.microsoft.com
  • 23.38.21.95
whitelisted
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
clientservices.googleapis.com
  • 142.251.36.3
whitelisted
accounts.google.com
  • 74.125.133.84
whitelisted
www.google.com
  • 142.251.36.4
whitelisted
www.gstatic.com
  • 142.250.179.163
whitelisted
ogads-pa.clients6.google.com
  • 142.250.179.202
whitelisted
apis.google.com
  • 142.251.39.110
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5240
CCUpdate.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Process
Message
Skype.exe
[0426/151321.155:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
elevation_service.exe
[0426/151332.308:ERROR:service_main.cc(154)] Failed to connect to the service control manager: The service process could not connect to the service controller. (0x427)
SteamService.exe
Failed to find Steam.exe
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
mmc.exe
Getting next publisher from enum failed-259-No more data is available
mmc.exe
Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lawn.exe