File name:

MentalMentor.exe

Full analysis: https://app.any.run/tasks/987c3b5a-a058-4bf2-b7b6-f4a2700153e6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 03:43:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
arch-exec
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

5B2DF5D78808A6F81F1316D0B1C9464D

SHA1:

25A73308C83D2D57A80CD8BACE29BFCB54CDE6E1

SHA256:

8C0B492B8BFAB6F0975A16973C065B16A5D4D8C90097845C7DE023C2A5887D5F

SSDEEP:

98304:l+cD4dnZIQYaQCn0zYIShe3YC09z13z0WoJezEsvHG512Dcd2D+gsrC+x3ILB1UP:mOFkbu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • MentalMentor.tmp (PID: 6496)

    • Changes the autorun value in the registry

      • mentalmentor.exe (PID: 1140)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MentalMentor.exe (PID: 6248)
      • MentalMentor.exe (PID: 6460)
      • MentalMentor.tmp (PID: 6496)
      • 7z.exe (PID: 7160)
      • 7z.exe (PID: 5988)
      • 7z.exe (PID: 4684)
      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 7088)
      • luminati.exe (PID: 3820)
      • luminati.exe (PID: 6508)

    • Reads security settings of Internet Explorer

      • MentalMentor.tmp (PID: 6268)
      • MentalMentor.tmp (PID: 6496)
      • luminati.exe (PID: 4308)

    • Reads the Windows owner or organization settings

      • MentalMentor.tmp (PID: 6496)

    • Checks Windows Trust Settings

      • MentalMentor.tmp (PID: 6496)
      • net_updater32.exe (PID: 7088)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 7160)
      • luminati.exe (PID: 4308)

    • Drops 7-zip archiver for unpacking

      • MentalMentor.tmp (PID: 6496)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 7160)
      • luminati.exe (PID: 4308)

    • Searches for installed software

      • MentalMentor.tmp (PID: 6496)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • MentalMentor.tmp (PID: 6496)

    • Detected use of alternative data streams (AltDS)

      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 7088)
      • luminati.exe (PID: 3820)
      • luminati.exe (PID: 6508)

    • Executes as Windows Service

      • net_updater32.exe (PID: 7088)
      • WmiApSrv.exe (PID: 6736)

    • The process checks if it is being run in the virtual environment

      • net_updater32.exe (PID: 7088)

    • Potential Corporate Privacy Violation

      • net_updater32.exe (PID: 7088)

    • Checks for external IP

      • net_updater32.exe (PID: 7088)

    • Adds/modifies Windows certificates

      • QtWebEngineProcess.exe (PID: 6924)

  • INFO

    • Checks supported languages

      • MentalMentor.exe (PID: 6248)
      • MentalMentor.tmp (PID: 6268)
      • MentalMentor.exe (PID: 6460)
      • MentalMentor.tmp (PID: 6496)
      • 7z.exe (PID: 7160)
      • 7z.exe (PID: 4684)
      • 7z.exe (PID: 5988)
      • 7z.exe (PID: 2600)
      • test_wpf.exe (PID: 6096)
      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 5720)
      • net_updater32.exe (PID: 7088)
      • test_wpf.exe (PID: 6340)
      • idle_report.exe (PID: 3208)
      • luminati.exe (PID: 3820)
      • test_wpf.exe (PID: 2084)
      • QtWebEngineProcess.exe (PID: 5192)
      • QtWebEngineProcess.exe (PID: 6924)
      • luminati.exe (PID: 6508)
      • test_wpf.exe (PID: 6920)
      • QtWebEngineProcess.exe (PID: 6324)

    • Process checks computer location settings

      • MentalMentor.tmp (PID: 6268)
      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 7088)
      • QtWebEngineProcess.exe (PID: 5192)

    • Create files in a temporary directory

      • MentalMentor.exe (PID: 6460)
      • MentalMentor.exe (PID: 6248)
      • MentalMentor.tmp (PID: 6496)

    • Reads the computer name

      • MentalMentor.tmp (PID: 6496)
      • MentalMentor.tmp (PID: 6268)
      • mentalmentor.exe (PID: 1140)
      • test_wpf.exe (PID: 2084)
      • test_wpf.exe (PID: 6096)
      • test_wpf.exe (PID: 6920)

    • Reads the software policy settings

      • MentalMentor.tmp (PID: 6496)
      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 5720)
      • net_updater32.exe (PID: 7088)
      • mentalmentor.exe (PID: 1140)
      • QtWebEngineProcess.exe (PID: 6924)
      • luminati.exe (PID: 3820)

    • Checks proxy server information

      • MentalMentor.tmp (PID: 6496)
      • luminati.exe (PID: 4308)
      • QtWebEngineProcess.exe (PID: 6924)
      • mentalmentor.exe (PID: 1140)

    • The sample compiled with english language support

      • 7z.exe (PID: 7160)
      • MentalMentor.tmp (PID: 6496)
      • 7z.exe (PID: 4684)
      • luminati.exe (PID: 4308)

    • Creates a software uninstall entry

      • MentalMentor.tmp (PID: 6496)

    • Creates files in the program directory

      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 5720)
      • net_updater32.exe (PID: 7088)
      • brightdata.exe (PID: 6220)
      • luminati.exe (PID: 3820)
      • luminati.exe (PID: 6508)

    • Reads the machine GUID from the registry

      • MentalMentor.tmp (PID: 6496)
      • test_wpf.exe (PID: 6096)
      • net_updater32.exe (PID: 7088)
      • test_wpf.exe (PID: 6340)
      • brightdata.exe (PID: 6220)
      • luminati.exe (PID: 3820)
      • test_wpf.exe (PID: 2084)
      • mentalmentor.exe (PID: 1140)
      • luminati.exe (PID: 4308)
      • test_wpf.exe (PID: 6920)
      • luminati.exe (PID: 6508)

    • Creates files or folders in the user directory

      • MentalMentor.tmp (PID: 6496)
      • QtWebEngineProcess.exe (PID: 6924)

    • Disables trace logs

      • luminati.exe (PID: 4308)
      • net_updater32.exe (PID: 7088)

    • The process uses the downloaded file

      • net_updater32.exe (PID: 7088)

    • Sends debugging messages

      • mentalmentor.exe (PID: 1140)
      • QtWebEngineProcess.exe (PID: 5192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 102400
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Mental Mentor
FileDescription: Mental Mentor Setup
FileVersion: 1.1.0
LegalCopyright: Copyright 2024 Agora International Agency
OriginalFileName: MentalMentor.exe
ProductName: Mental Mentor
ProductVersion: 1.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
35
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start mentalmentor.exe mentalmentor.tmp no specs mentalmentor.exe mentalmentor.tmp 7z.exe conhost.exe no specs 7z.exe conhost.exe no specs 7z.exe conhost.exe no specs 7z.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs luminati.exe test_wpf.exe no specs net_updater32.exe conhost.exe no specs net_updater32.exe test_wpf.exe no specs idle_report.exe no specs conhost.exe no specs brightdata.exe no specs conhost.exe no specs wmiapsrv.exe no specs mentalmentor.exe luminati.exe qtwebengineprocess.exe qtwebengineprocess.exe no specs test_wpf.exe no specs luminati.exe test_wpf.exe no specs qtwebengineprocess.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\Users\admin\mentalmentor\mentalmentor.exe" installC:\Users\admin\mentalmentor\mentalmentor.exe
MentalMentor.tmp
User:
admin
Company:
Mental Mentor
Integrity Level:
HIGH
Description:
Mental Mentor
Version:
1.5.0
Modules
Images
c:\users\admin\mentalmentor\mentalmentor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2084C:\ProgramData\BrightData\1c38ac4e31598c50e45dd311c7d362929c5fedd9\test_wpf.exeC:\ProgramData\BrightData\1c38ac4e31598c50e45dd311c7d362929c5fedd9\test_wpf.exeluminati.exe
User:
admin
Company:
BrightData Ltd.
Integrity Level:
HIGH
Description:
test_wpf
Exit code:
0
Version:
1.474.630
Modules
Images
c:\programdata\brightdata\1c38ac4e31598c50e45dd311c7d362929c5fedd9\test_wpf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2600"C:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\7z.exe" x "C:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\zip_html.7z" -o"C:\Users\admin\mentalmentor\settings\temp\inst_gui\" * -r -aoaC:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\7z.exeMentalMentor.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\is-3vb4n.tmp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3208C:\ProgramData\BrightData\1c38ac4e31598c50e45dd311c7d362929c5fedd9\idle_report.exe --id 49466 --screenC:\ProgramData\BrightData\1c38ac4e31598c50e45dd311c7d362929c5fedd9\idle_report.exenet_updater32.exe
User:
admin
Company:
BrightData Ltd.
Integrity Level:
MEDIUM
Description:
idle_report
Exit code:
0
Version:
1.474.630
Modules
Images
c:\programdata\brightdata\1c38ac4e31598c50e45dd311c7d362929c5fedd9\idle_report.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
3532"netsh" advfirewall firewall add rule name="Mental Mentor" dir=in action=allow program="C:\Users\admin\mentalmentor\QtWebEngineProcess.exe" enable=yesC:\Windows\SysWOW64\netsh.exeMentalMentor.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet_updater32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3820C:\Users\admin\mentalmentor\luminati\luminati.exe is_switch_onC:\Users\admin\mentalmentor\luminati\luminati.exe
mentalmentor.exe
User:
admin
Company:
Mental Mentor
Integrity Level:
HIGH
Description:
Mental Mentor's Luminati controller
Exit code:
101
Version:
1.0.0
Modules
Images
c:\users\admin\mentalmentor\luminati\luminati.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeidle_report.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 381
Read events
27 273
Write events
104
Delete events
4

Modification events

(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:URLInfoAbout
Value:
https://mmentorapp.com
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:HelpLink
Value:
https://mmentorapp.com
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:DisplayVersion
Value:
1.5.2
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:InstallDate
Value:
20250116
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\mentalmentor
Operation:writeName:inst_id
Value:
9865192
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\mentalmentor
Operation:writeName:autostart
Value:
true
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\mentalmentor
Operation:writeName:reinstall
Value:
false
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\mentalmentor
Operation:writeName:installer
Value:
true
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:InstallLocation
Value:
C:\Users\admin\mentalmentor
(PID) Process:(6496) MentalMentor.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:DisplayName
Value:
Mental Mentor
Executable files
54
Suspicious files
129
Text files
38
Unknown types
21

Dropped files

PID
Process
Filename
Type
6496MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\zip_libs.7z
MD5:
SHA256:
71607z.exeC:\Users\admin\mentalmentor\resources\icudtl.dat
MD5:
SHA256:
6496MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\zip_bin.7zcompressed
MD5:34D8F0706FC500746B42B42C334405DB
SHA256:6D6917576C4F29648B6DBD2DE59D807CEFCFEA1AB61E439C17DD8D9600BBCC7E
6460MentalMentor.exeC:\Users\admin\AppData\Local\Temp\is-P02FP.tmp\MentalMentor.tmpexecutable
MD5:0D041F22D598F3A63BDF0E66C448BDAB
SHA256:E6B54015C403E3016B848B18FC488D4D281A752BC9AB2A3324BA4D8EFB642563
6496MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\zip_lum.7zcompressed
MD5:22A22C91A5EE767952CCCF6E61176EDA
SHA256:A590BC132B0EF459D4DE8EC3FB8C401DAAAE1205F93B47B0BFF52CC0C222CFA2
6496MentalMentor.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
6496MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\7z.dllexecutable
MD5:04AD4B80880B32C94BE8D0886482C774
SHA256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
6496MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-3VB4N.tmp\zip_html.7zcompressed
MD5:C81AC199128A2A72592714C154DDDDB4
SHA256:2450F1ED9E8099A6AA7445B6202740A1FA7829CC3D7ED2CB728121A5D7673457
6496MentalMentor.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:C341817E010867D14CFE9445502CD7BD
SHA256:A4718301975FAD0D014127CBDD0724F1FFF7870D6ECCB54E24E27A17F9B8C38C
6496MentalMentor.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\873B145CC43D39FA572DF835C5999089binary
MD5:5B0355FDD8C64857F9691857880857B2
SHA256:D4029B4BDCE9593A9913362136DB2B5950BBEC1B5968A29AD2FF578168B655E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
96
DNS requests
47
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6496
MentalMentor.tmp
GET
200
184.24.77.48:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOulXkTlegweLhzBtWhwnsrfg%3D%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6496
MentalMentor.tmp
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
7088
net_updater32.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6012
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6160
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6496
MentalMentor.tmp
51.158.210.166:443
web.mymentalmentor.net
Online S.a.s.
FR
unknown
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.184
  • 104.126.37.179
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.128
  • 104.126.37.185
  • 104.126.37.186
  • 104.126.37.137
whitelisted
google.com
  • 142.250.185.174
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
web.mymentalmentor.net
  • 51.158.210.166
unknown
go.microsoft.com
  • 23.213.166.81
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.76
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.138
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7088
net_updater32.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1 ETPRO signatures available at the full report
Process
Message
mentalmentor.exe
SentryController::init
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MentalMentor.exe