URL:

https://www.lunarclient.com/

Full analysis: https://app.any.run/tasks/384185ad-ba81-40b7-a67a-4518828b55bc
Verdict: Malicious activity
Analysis date: April 07, 2025, 16:34:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
Indicators:
MD5:

5C6FABFA41871970A9117D833ECDE344

SHA1:

9FF51B3F5DFC5209AFC93231F59645D2F27807CF

SHA256:

34E08E7A942C69ABAFC08AD7DB9182EB77D4F3B2E7311DF4FC56A1E33D3BF748

SSDEEP:

3:N8DSLUcukK:2OLRuD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • Lunar Client.exe (PID: 5600)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7412)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Lunar Client - Installer.exe (PID: 5556)
      • ow-electron-setup.exe (PID: 1280)

    • Executable content was dropped or overwritten

      • Lunar Client - Installer.exe (PID: 5556)
      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 6388)
      • Lunar Client.exe (PID: 5600)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Lunar Client - Installer.exe (PID: 5556)
      • ow-electron-setup.exe (PID: 1280)

    • Drops 7-zip archiver for unpacking

      • Lunar Client - Installer.exe (PID: 5556)
      • ow-electron-setup.exe (PID: 1280)

    • Reads Internet Explorer settings

      • OWInstaller.exe (PID: 7372)

    • Starts CMD.EXE for commands execution

      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 7952)

    • There is functionality for taking screenshot (YARA)

      • Lunar Client - Installer.exe (PID: 5556)

    • Get information on the list of running processes

      • cmd.exe (PID: 1228)
      • ow-electron-setup.exe (PID: 1280)

    • Reads Microsoft Outlook installation path

      • OWInstaller.exe (PID: 7372)

    • Reads security settings of Internet Explorer

      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)

    • Reads the date of Windows installation

      • OWInstaller.exe (PID: 7372)

    • Process drops legitimate windows executable

      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)

    • Creates a software uninstall entry

      • ow-electron-setup.exe (PID: 1280)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8164)
      • cmd.exe (PID: 6004)

    • Application launched itself

      • Lunar Client.exe (PID: 5600)

    • The process bypasses the loading of PowerShell profile settings

      • Lunar Client.exe (PID: 5600)

    • The process hides Powershell's copyright startup banner

      • Lunar Client.exe (PID: 5600)

    • Uses REG/REGEDIT.EXE to modify registry

      • Lunar Client.exe (PID: 5600)

    • Starts POWERSHELL.EXE for commands execution

      • Lunar Client.exe (PID: 5600)

    • The process drops C-runtime libraries

      • Lunar Client.exe (PID: 5600)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 8080)
      • identity_helper.exe (PID: 7916)
      • OWInstaller.exe (PID: 7372)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 7952)
      • Lunar Client.exe (PID: 6388)

    • Checks supported languages

      • identity_helper.exe (PID: 8080)
      • identity_helper.exe (PID: 7916)
      • OWInstaller.exe (PID: 7372)
      • Lunar Client - Installer.exe (PID: 5556)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 7776)
      • Lunar Client.exe (PID: 7732)
      • Lunar Client.exe (PID: 2332)
      • Lunar Client.exe (PID: 208)
      • Lunar Client.exe (PID: 776)
      • chcp.com (PID: 7820)
      • chcp.com (PID: 4884)
      • Lunar Client.exe (PID: 7952)
      • Lunar Client.exe (PID: 6388)
      • Lunar Client.exe (PID: 7428)
      • Lunar Client.exe (PID: 6980)
      • Lunar Client.exe (PID: 7500)
      • Lunar Client.exe (PID: 7740)
      • Lunar Client.exe (PID: 7908)
      • Lunar Client.exe (PID: 6852)
      • Lunar Client.exe (PID: 7392)
      • Lunar Client.exe (PID: 4120)

    • Reads the computer name

      • identity_helper.exe (PID: 8080)
      • identity_helper.exe (PID: 7916)
      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 7776)
      • Lunar Client.exe (PID: 2332)
      • Lunar Client.exe (PID: 208)
      • Lunar Client.exe (PID: 7952)
      • Lunar Client.exe (PID: 6388)
      • Lunar Client.exe (PID: 4120)
      • Lunar Client.exe (PID: 6852)
      • Lunar Client.exe (PID: 7392)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7272)

    • Autorun file from Downloads

      • msedge.exe (PID: 3096)
      • msedge.exe (PID: 7272)

    • Manual execution by a user

      • Lunar Client - Installer.exe (PID: 5556)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 7952)

    • The sample compiled with english language support

      • msedge.exe (PID: 7600)
      • msedge.exe (PID: 7272)
      • Lunar Client - Installer.exe (PID: 5556)
      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 6388)
      • Lunar Client.exe (PID: 5600)

    • Reads the machine GUID from the registry

      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 6852)

    • Create files in a temporary directory

      • OWInstaller.exe (PID: 7372)
      • Lunar Client - Installer.exe (PID: 5556)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 6388)

    • Creates files or folders in the user directory

      • OWInstaller.exe (PID: 7372)
      • Lunar Client - Installer.exe (PID: 5556)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 7732)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 2332)
      • Lunar Client.exe (PID: 6388)
      • Lunar Client.exe (PID: 6852)

    • Disables trace logs

      • OWInstaller.exe (PID: 7372)

    • Application launched itself

      • msedge.exe (PID: 7272)
      • msedge.exe (PID: 4784)

    • Process checks computer location settings

      • OWInstaller.exe (PID: 7372)
      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 776)
      • Lunar Client.exe (PID: 7952)
      • Lunar Client.exe (PID: 6388)
      • Lunar Client.exe (PID: 7428)
      • Lunar Client.exe (PID: 7740)
      • Lunar Client.exe (PID: 7500)
      • Lunar Client.exe (PID: 7908)
      • Lunar Client.exe (PID: 6980)

    • Checks proxy server information

      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)
      • Lunar Client.exe (PID: 5600)
      • slui.exe (PID: 7724)

    • Reads the software policy settings

      • OWInstaller.exe (PID: 7372)
      • ow-electron-setup.exe (PID: 1280)
      • slui.exe (PID: 8084)
      • Lunar Client.exe (PID: 208)
      • slui.exe (PID: 7724)

    • Reads product name

      • Lunar Client.exe (PID: 5600)
      • Lunar Client.exe (PID: 7952)
      • Lunar Client.exe (PID: 6388)

    • Changes the display of characters in the console

      • cmd.exe (PID: 8164)
      • cmd.exe (PID: 6004)

    • Reads CPU info

      • Lunar Client.exe (PID: 5600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
247
Monitored processes
108
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs lunar client - installer.exe owinstaller.exe ow-electron-setup.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe lunar client.exe cmd.exe no specs conhost.exe no specs chcp.com no specs lunar client.exe no specs lunar client.exe no specs lunar client.exe lunar client.exe reg.exe no specs lunar client.exe no specs conhost.exe no specs lunar client.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs reg.exe conhost.exe no specs conhost.exe no specs lunar client.exe no specs lunar client.exe lunar client.exe no specs lunar client.exe no specs lunar client.exe no specs cmd.exe no specs conhost.exe no specs lunar client.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs lunar client.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs lunar client.exe no specs lunar client.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe" --type=cs --cs-app=lunarclient --uid=jilehohlakeokncafogkgnicgndeecdiengddbcc --phase=43 --muid=bb926e54-e3ca-40fd-ae90-2764341e7792 --muidv2=fe9eb5ba-3c73-4ead-972a-c023bcb50e41 --first-runC:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe
Lunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Electron launcher for Lunar Client
Exit code:
0
Version:
3.3.6-ow
Modules
Images
c:\users\admin\appdata\local\programs\lunar client\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7432 --field-trial-handle=2332,i,10023282056272808942,12873827150649771753,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
776"C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\lunarclient" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=com.moonsworth.client --app-path="C:\Users\admin\AppData\Local\Programs\Lunar Client\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2728,i,6673696462246517435,17418095836417550756,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:1C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exeLunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Electron launcher for Lunar Client
Version:
3.3.6-ow
Modules
Images
c:\users\admin\appdata\local\programs\lunar client\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7628 --field-trial-handle=2332,i,10023282056272808942,12873827150649771753,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x2a4,0x2a8,0x2ac,0x29c,0x2b4,0x7ffc88735fd8,0x7ffc88735fe4,0x7ffc88735ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\WINDOWS\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Lunar Client.exe" /FO csv | "C:\WINDOWS\system32\find.exe" "Lunar Client.exe"C:\Windows\SysWOW64\cmd.exeow-electron-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1280"C:\Users\admin\AppData\Local\Temp\ow-electron-setup-jilehohlakeokncafogkgnicgndeecdiengddbcc\ow-electron-setup.exe" /S --force-run /d="C:\Users\admin\AppData\Local\Programs\Lunar Client"C:\Users\admin\AppData\Local\Temp\ow-electron-setup-jilehohlakeokncafogkgnicgndeecdiengddbcc\ow-electron-setup.exe
OWInstaller.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
HIGH
Description:
Electron launcher for Lunar Client
Exit code:
0
Version:
3.3.6-ow
Modules
Images
c:\users\admin\appdata\local\temp\ow-electron-setup-jilehohlakeokncafogkgnicgndeecdiengddbcc\ow-electron-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
29 636
Read events
29 532
Write events
84
Delete events
20

Modification events

(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7272) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
78DA021AC9902F00
(PID) Process:(7272) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
8B600C1AC9902F00
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394060
Operation:writeName:WindowTabManagerFileMappingId
Value:
{A07E7F2E-BDCD-482B-B5C9-9676A61E84F2}
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394060
Operation:writeName:WindowTabManagerFileMappingId
Value:
{731B1C3A-0A07-43E6-B592-CF22CD8DEE03}
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394060
Operation:writeName:WindowTabManagerFileMappingId
Value:
{4ECF93AB-6346-4C46-89D2-D468BE2A7DFC}
(PID) Process:(7272) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\394060
Operation:writeName:WindowTabManagerFileMappingId
Value:
{299E4C8D-FA23-44D8-9C73-BCED23438F6D}
Executable files
197
Suspicious files
2 730
Text files
4 593
Unknown types
0

Dropped files

PID
Process
Filename
Type
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b826.TMP
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b836.TMP
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b855.TMP
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b836.TMP
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b855.TMP
MD5:
SHA256:
7272msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
574
DNS requests
646
Threats
196

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7372
OWInstaller.exe
GET
200
142.250.185.174:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=718132730&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=799906519&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1603863227.1744043723.1744043723.1744043723.2%3B%2B__utmz%3D0.1744043723.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7372
OWInstaller.exe
GET
200
142.250.185.174:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=380102031&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=171931599&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1603863227.1744043723.1744043723.1744043723.2%3B%2B__utmz%3D0.1744043723.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event
unknown
whitelisted
7372
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEnA9eVH9TrLXPKuCavuqCA0%3D
unknown
whitelisted
7372
OWInstaller.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7372
OWInstaller.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7372
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
whitelisted
7372
OWInstaller.exe
GET
200
142.250.185.163:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEHGvPPlOXde9CQBZ60wQP4Y%3D
unknown
whitelisted
7372
OWInstaller.exe
GET
200
142.250.185.163:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQC9ZcgYQ%2FurORDkqLZcs5MY
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7272
msedge.exe
239.255.255.250:1900
whitelisted
7600
msedge.exe
104.18.12.46:443
www.lunarclient.com
unknown
7600
msedge.exe
157.240.251.9:443
connect.facebook.net
whitelisted
7600
msedge.exe
104.18.31.194:443
skins.mcstats.com
suspicious
7600
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
  • 46.228.174.115
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
www.lunarclient.com
  • 104.18.12.46
  • 104.18.13.46
unknown
business.bing.com
  • 13.107.6.158
whitelisted
www.googletagmanager.com
  • 142.250.185.232
  • 142.250.185.136
whitelisted
www.google-analytics.com
  • 142.250.185.174
whitelisted

Threats

PID
Process
Class
Message
7600
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
7600
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2332
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.lunarclient.com/