File name:

MentalMentor.exe

Full analysis: https://app.any.run/tasks/a80e94f7-8062-438d-81b8-ca48d723407a
Verdict: Malicious activity
Analysis date: May 26, 2024, 11:29:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4403CB3B8B299528D40A2555D8395BEB

SHA1:

52971B252D0E259808F158872DB478EEF4ED94E4

SHA256:

CAD92559E7848F000CA084AA6E5434A2EAFEDD2BC2E5FF06A13B724BFD447359

SSDEEP:

98304:4+cD4dnVpK8uzBM+gR5Ut+6nt7CbYT3VTQlJpLFUI31PrAtTkmlsrC+x3ILB1UyV:r/cbF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MentalMentor.exe (PID: 3968)
      • MentalMentor.exe (PID: 1116)
      • MentalMentor.tmp (PID: 748)
      • 7z.exe (PID: 1816)
      • 7z.exe (PID: 1056)
      • 7z.exe (PID: 2008)
      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2372)
      • luminati.exe (PID: 3252)
      • luminati.exe (PID: 1876)
      • luminati.exe (PID: 3688)
      • MentalMentor.exe (PID: 1900)
      • MentalMentor.exe (PID: 2356)
      • MentalMentor.tmp (PID: 2700)

    • Creates a writable file in the system directory

      • net_updater32.exe (PID: 2372)

    • Changes the autorun value in the registry

      • mentalmentor.exe (PID: 2772)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MentalMentor.exe (PID: 3968)
      • MentalMentor.exe (PID: 1116)
      • MentalMentor.tmp (PID: 748)
      • 7z.exe (PID: 1816)
      • 7z.exe (PID: 2008)
      • 7z.exe (PID: 1056)
      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2372)
      • luminati.exe (PID: 3252)
      • luminati.exe (PID: 1876)
      • luminati.exe (PID: 3688)
      • MentalMentor.exe (PID: 2356)
      • MentalMentor.exe (PID: 1900)
      • MentalMentor.tmp (PID: 2700)

    • Reads the Windows owner or organization settings

      • MentalMentor.tmp (PID: 748)
      • MentalMentor.tmp (PID: 2700)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • MentalMentor.tmp (PID: 748)

    • Searches for installed software

      • MentalMentor.tmp (PID: 748)

    • Drops 7-zip archiver for unpacking

      • MentalMentor.tmp (PID: 748)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 1056)
      • luminati.exe (PID: 2524)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 1056)
      • luminati.exe (PID: 2524)

    • Reads settings of System Certificates

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2560)
      • mentalmentor.exe (PID: 2772)
      • QtWebEngineProcess.exe (PID: 3432)

    • Detected use of alternative data streams (AltDS)

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2372)
      • luminati.exe (PID: 1876)
      • luminati.exe (PID: 3688)
      • luminati.exe (PID: 3252)

    • Adds/modifies Windows certificates

      • luminati.exe (PID: 2524)
      • QtWebEngineProcess.exe (PID: 3432)

    • Reads the Internet Settings

      • luminati.exe (PID: 2524)
      • mentalmentor.exe (PID: 2772)
      • luminati.exe (PID: 3252)
      • QtWebEngineProcess.exe (PID: 3432)

    • Reads security settings of Internet Explorer

      • luminati.exe (PID: 2524)

    • Executes as Windows Service

      • net_updater32.exe (PID: 2372)

    • Checks Windows Trust Settings

      • net_updater32.exe (PID: 2372)

    • Potential Corporate Privacy Violation

      • net_updater32.exe (PID: 2372)

  • INFO

    • Checks supported languages

      • MentalMentor.tmp (PID: 3984)
      • MentalMentor.exe (PID: 3968)
      • MentalMentor.exe (PID: 1116)
      • MentalMentor.tmp (PID: 748)
      • wmpnscfg.exe (PID: 1184)
      • 7z.exe (PID: 1816)
      • luminati.exe (PID: 2524)
      • 7z.exe (PID: 1548)
      • 7z.exe (PID: 2008)
      • 7z.exe (PID: 1056)
      • test_wpf.exe (PID: 2512)
      • net_updater32.exe (PID: 2560)
      • net_updater32.exe (PID: 2372)
      • test_wpf.exe (PID: 2392)
      • idle_report.exe (PID: 2876)
      • brightdata.exe (PID: 2908)
      • mentalmentor.exe (PID: 2772)
      • mentalmentor_crashpad_handler.exe (PID: 2980)
      • luminati.exe (PID: 3252)
      • QtWebEngineProcess.exe (PID: 3432)
      • QtWebEngineProcess.exe (PID: 3404)
      • test_wpf.exe (PID: 3416)
      • test_wpf.exe (PID: 4076)
      • luminati.exe (PID: 1876)
      • QtWebEngineProcess.exe (PID: 3224)
      • luminati.exe (PID: 3688)
      • test_wpf.exe (PID: 3680)
      • idle_report.exe (PID: 1948)
      • idle_report.exe (PID: 1940)
      • MentalMentor.exe (PID: 1900)
      • MentalMentor.tmp (PID: 2556)
      • MentalMentor.exe (PID: 2356)
      • MentalMentor.tmp (PID: 2700)
      • mentalmentor.exe (PID: 2468)

    • Reads the computer name

      • MentalMentor.tmp (PID: 3984)
      • MentalMentor.tmp (PID: 748)
      • test_wpf.exe (PID: 2512)
      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2560)
      • net_updater32.exe (PID: 2372)
      • wmpnscfg.exe (PID: 1184)
      • test_wpf.exe (PID: 2392)
      • brightdata.exe (PID: 2908)
      • idle_report.exe (PID: 2876)
      • mentalmentor.exe (PID: 2772)
      • QtWebEngineProcess.exe (PID: 3432)
      • test_wpf.exe (PID: 3416)
      • luminati.exe (PID: 3252)
      • test_wpf.exe (PID: 4076)
      • QtWebEngineProcess.exe (PID: 3224)
      • luminati.exe (PID: 1876)
      • test_wpf.exe (PID: 3680)
      • luminati.exe (PID: 3688)
      • idle_report.exe (PID: 1948)
      • idle_report.exe (PID: 1940)
      • MentalMentor.tmp (PID: 2700)
      • MentalMentor.tmp (PID: 2556)

    • Create files in a temporary directory

      • MentalMentor.exe (PID: 3968)
      • MentalMentor.exe (PID: 1116)
      • MentalMentor.tmp (PID: 748)
      • MentalMentor.exe (PID: 1900)
      • MentalMentor.exe (PID: 2356)
      • MentalMentor.tmp (PID: 2700)

    • Reads the machine GUID from the registry

      • MentalMentor.tmp (PID: 748)
      • luminati.exe (PID: 2524)
      • test_wpf.exe (PID: 2512)
      • net_updater32.exe (PID: 2560)
      • test_wpf.exe (PID: 2392)
      • idle_report.exe (PID: 2876)
      • brightdata.exe (PID: 2908)
      • mentalmentor.exe (PID: 2772)
      • luminati.exe (PID: 3252)
      • test_wpf.exe (PID: 3416)
      • net_updater32.exe (PID: 2372)
      • luminati.exe (PID: 1876)
      • test_wpf.exe (PID: 4076)
      • luminati.exe (PID: 3688)
      • test_wpf.exe (PID: 3680)
      • idle_report.exe (PID: 1948)
      • idle_report.exe (PID: 1940)
      • MentalMentor.tmp (PID: 2700)
      • QtWebEngineProcess.exe (PID: 3432)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1184)
      • MentalMentor.exe (PID: 1900)
      • mentalmentor.exe (PID: 2468)

    • Creates a software uninstall entry

      • MentalMentor.tmp (PID: 748)

    • Creates files in the program directory

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2560)
      • net_updater32.exe (PID: 2372)
      • brightdata.exe (PID: 2908)
      • luminati.exe (PID: 3252)
      • luminati.exe (PID: 1876)
      • luminati.exe (PID: 3688)

    • Reads Environment values

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2372)
      • brightdata.exe (PID: 2908)
      • luminati.exe (PID: 3252)
      • luminati.exe (PID: 1876)
      • luminati.exe (PID: 3688)

    • Reads the software policy settings

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2560)
      • net_updater32.exe (PID: 2372)
      • QtWebEngineProcess.exe (PID: 3432)

    • Creates files or folders in the user directory

      • luminati.exe (PID: 2524)
      • QtWebEngineProcess.exe (PID: 3432)

    • Process checks computer location settings

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2372)
      • QtWebEngineProcess.exe (PID: 3404)
      • luminati.exe (PID: 3252)
      • luminati.exe (PID: 1876)
      • luminati.exe (PID: 3688)

    • Checks proxy server information

      • luminati.exe (PID: 2524)

    • Disables trace logs

      • luminati.exe (PID: 2524)
      • net_updater32.exe (PID: 2372)
      • luminati.exe (PID: 3688)
      • luminati.exe (PID: 3252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 102400
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Mental Mentor
FileDescription: Mental Mentor Setup
FileVersion: 1.1.0
LegalCopyright: Copyright 2024 Agora International Agency
OriginalFileName: MentalMentor.exe
ProductName: Mental Mentor
ProductVersion: 1.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
36
Malicious processes
14
Suspicious processes
3

Behavior graph

Click at the process to see the details
start mentalmentor.exe mentalmentor.tmp no specs mentalmentor.exe mentalmentor.tmp wmpnscfg.exe no specs 7z.exe 7z.exe 7z.exe 7z.exe no specs netsh.exe no specs netsh.exe no specs luminati.exe test_wpf.exe no specs net_updater32.exe net_updater32.exe test_wpf.exe no specs idle_report.exe no specs brightdata.exe no specs mentalmentor.exe mentalmentor_crashpad_handler.exe no specs luminati.exe test_wpf.exe no specs qtwebengineprocess.exe qtwebengineprocess.exe no specs luminati.exe test_wpf.exe no specs qtwebengineprocess.exe no specs luminati.exe test_wpf.exe no specs idle_report.exe no specs idle_report.exe no specs mentalmentor.exe mentalmentor.tmp no specs mentalmentor.exe mentalmentor.tmp mentalmentor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Users\admin\AppData\Local\Temp\is-2GHVS.tmp\MentalMentor.tmp" /SL5="$2013C,2483849,845312,C:\Users\admin\Desktop\MentalMentor.exe" /SPAWNWND=$2013A /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-2GHVS.tmp\MentalMentor.tmp
MentalMentor.exe
User:
admin
Company:
Mental Mentor
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-2ghvs.tmp\mentalmentor.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
824"netsh" advfirewall firewall add rule name="Mental Mentor" dir=in action=allow program="C:\Users\admin\mentalmentor\QtWebEngineProcess.exe" enable=yesC:\Windows\System32\netsh.exeMentalMentor.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1056"C:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.exe" x "C:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\zip_libs.7z" -o"C:\Users\admin\mentalmentor\" * -r -aoaC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.exe
MentalMentor.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\is-27t9l.tmp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1116"C:\Users\admin\Desktop\MentalMentor.exe" /SPAWNWND=$2013A /NOTIFYWND=$20138 C:\Users\admin\Desktop\MentalMentor.exe
MentalMentor.tmp
User:
admin
Company:
Mental Mentor
Integrity Level:
HIGH
Description:
Mental Mentor Setup
Exit code:
0
Version:
1.1.0
Modules
Images
c:\users\admin\desktop\mentalmentor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1184"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1548"C:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.exe" x "C:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\zip_html.7z" -o"C:\Users\admin\mentalmentor\settings\temp\inst_gui\" * -r -aoaC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.exeMentalMentor.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\is-27t9l.tmp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1816"C:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.exe" x "C:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\zip_lum.7z" -o"C:\Users\admin\mentalmentor\luminati\" * -r -aoaC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.exe
MentalMentor.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\is-27t9l.tmp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1876C:\Users\admin\mentalmentor\luminati\luminati.exe is_switch_onC:\Users\admin\mentalmentor\luminati\luminati.exe
mentalmentor.exe
User:
admin
Integrity Level:
HIGH
Exit code:
101
Modules
Images
c:\users\admin\mentalmentor\luminati\luminati.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\mentalmentor\luminati\lum_sdk32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
1900"C:\Users\admin\Desktop\MentalMentor.exe" C:\Users\admin\Desktop\MentalMentor.exe
explorer.exe
User:
admin
Company:
Mental Mentor
Integrity Level:
MEDIUM
Description:
Mental Mentor Setup
Exit code:
2
Version:
1.1.0
Modules
Images
c:\users\admin\desktop\mentalmentor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1940C:\ProgramData\BrightData\1c38ac4e31598c50e45dd311c7d362929c5fedd9\idle_report.exe --id 35246C:\ProgramData\BrightData\1c38ac4e31598c50e45dd311c7d362929c5fedd9\idle_report.exenet_updater32.exe
User:
admin
Company:
BrightData Ltd.
Integrity Level:
MEDIUM
Description:
idle_report
Exit code:
0
Version:
1.429.308
Modules
Images
c:\programdata\brightdata\1c38ac4e31598c50e45dd311c7d362929c5fedd9\idle_report.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
48 602
Read events
48 263
Write events
309
Delete events
30

Modification events

(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
EC02000094FB790560AFDA01
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
B32504DB19E195A15CA6E96D45F6D03054F4B07D20A77E06FE6C73D0ACB7D0C7
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\mentalmentor
Operation:writeName:autostart
Value:
true
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\mentalmentor
Operation:writeName:reinstall
Value:
false
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\mentalmentor
Operation:writeName:installer
Value:
true
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:InstallLocation
Value:
C:\Users\admin\mentalmentor
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:DisplayName
Value:
Mental Mentor
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\mentalmentor\mentalmentor.exe
(PID) Process:(748) MentalMentor.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mental Mentor
Operation:writeName:UninstallString
Value:
C:\Users\admin\mentalmentor\uninstall.exe
Executable files
58
Suspicious files
186
Text files
40
Unknown types
8

Dropped files

PID
Process
Filename
Type
748MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\zip_libs.7z
MD5:
SHA256:
10567z.exeC:\Users\admin\mentalmentor\resources\icudtl.dat
MD5:
SHA256:
748MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\idp.dllexecutable
MD5:4AB254C4AC23CBEBE88300EE3701971A
SHA256:ABD2B6318B0FAE420B5E9A8EDF7FDD8691CC929440BFC5D436CB4489B9EF534A
748MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\mentor-inno-lib.dllexecutable
MD5:CF8B792E9B7B1486710A86337717CBA3
SHA256:305CB219908D900B62FA8B633D05BB7D64D781B6C75210E45C86232235DA6073
1116MentalMentor.exeC:\Users\admin\AppData\Local\Temp\is-2GHVS.tmp\MentalMentor.tmpexecutable
MD5:0D041F22D598F3A63BDF0E66C448BDAB
SHA256:E6B54015C403E3016B848B18FC488D4D281A752BC9AB2A3324BA4D8EFB642563
3968MentalMentor.exeC:\Users\admin\AppData\Local\Temp\is-HF8EP.tmp\MentalMentor.tmpexecutable
MD5:0D041F22D598F3A63BDF0E66C448BDAB
SHA256:E6B54015C403E3016B848B18FC488D4D281A752BC9AB2A3324BA4D8EFB642563
10567z.exeC:\Users\admin\mentalmentor\resources\qtwebengine_resources_200p.pakbinary
MD5:083950E31E62FD878A63F30D52C8602B
SHA256:DEEBBA302ACEBFA268B317A57F56BA631325EDBF053FF32A8D7832347D1ED44D
10567z.exeC:\Users\admin\mentalmentor\translations\qtwebengine_locales\en-GB.pakbinary
MD5:8C2C909E930AC37E3D023DADC9378AD8
SHA256:C5CC0F9705F8E31583B11CF98DC82E8847CCB6767E81BE9BC9FA17F55FA15152
748MentalMentor.tmpC:\Users\admin\AppData\Local\Temp\is-27T9L.tmp\7z.dllexecutable
MD5:04AD4B80880B32C94BE8D0886482C774
SHA256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
10567z.exeC:\Users\admin\mentalmentor\resources\qtwebengine_resources_100p.pakbinary
MD5:67F87F033644EC0EB8B7309EB2B1B7CE
SHA256:7EB8E53261798F00EE583E623CE3D9BE107A1F4CF2FC88D667540D230DA04708
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
107
DNS requests
32
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2372
net_updater32.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
US
binary
471 b
unknown
2372
net_updater32.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9589ed4a736cfdb1
US
unknown
2372
net_updater32.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
US
binary
727 b
unknown
3432
QtWebEngineProcess.exe
GET
200
2.16.202.115:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPuBCWJ4Ldll3mzZbNrkV6nRw%3D%3D
NL
binary
503 b
unknown
3432
QtWebEngineProcess.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
717 b
unknown
2372
net_updater32.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4SYN8HbX1atPqRDi932Tc%3D
US
binary
727 b
unknown
3432
QtWebEngineProcess.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
binary
471 b
unknown
3432
QtWebEngineProcess.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
binary
1.41 Kb
unknown
3432
QtWebEngineProcess.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEA2vl%2Bl0kUYrangZRQVQ%2FQo%3D
US
binary
471 b
unknown
3432
QtWebEngineProcess.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
binary
1.41 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
748
MentalMentor.tmp
51.158.210.166:443
web.mymentalmentor.net
Online S.a.s.
FR
unknown
2524
luminati.exe
161.35.48.195:443
perr.lum-sdk.io
DIGITALOCEAN-ASN
US
unknown
2524
luminati.exe
3.228.36.186:443
AMAZON-AES
US
unknown
2524
luminati.exe
206.189.231.23:443
perr.lum-sdk.io
DIGITALOCEAN-ASN
US
unknown
2524
luminati.exe
195.154.71.230:443
web.mentor-staging.mymentalmentor.net
Online S.a.s.
FR
unknown
2560
net_updater32.exe
206.189.231.23:443
perr.lum-sdk.io
DIGITALOCEAN-ASN
US
unknown

DNS requests

Domain
IP
Reputation
web.mymentalmentor.net
  • 51.158.210.166
unknown
perr.lum-sdk.io
  • 161.35.48.195
  • 159.223.133.120
  • 206.189.231.23
  • 192.81.214.145
unknown
perr.l-err.biz
  • 206.189.231.23
  • 192.81.214.145
  • 159.223.133.120
  • 161.35.48.195
unknown
web.mentor-staging.mymentalmentor.net
  • 195.154.71.230
unknown
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.dropbox.com
  • 162.125.66.18
shared
brdtest.com
  • 3.94.40.55
  • 3.94.72.89
unknown
uc099fe1e104791b1d2a350c85f8.dl.dropboxusercontent.com
  • 162.125.66.15
unknown
www.google-analytics.com
  • 142.250.185.206
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
2372
net_updater32.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
3432
QtWebEngineProcess.exe
Misc activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
3432
QtWebEngineProcess.exe
Misc activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
3432
QtWebEngineProcess.exe
Misc activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
Process
Message
mentalmentor.exe
QWindowsEGLStaticContext::create: Could not initialize EGL display: error 0x3001
mentalmentor.exe
QWindowsEGLStaticContext::create: When using ANGLE, check if d3dcompiler_4x.dll is available
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MentalMentor.exe