URL:

https://lunaferies.com/

Full analysis: https://app.any.run/tasks/aacdd175-6d38-4a5c-88d2-60bf027135dd
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 17, 2026, 17:54:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
arch-exec
stealer
github
anti-evasion
arch-doc
python
ims-api
generic
rapid
nodejs
evasion
Indicators:
MD5:

71D5D3D69864C8370BF6AF20D2C9E9D1

SHA1:

B614D0783195ED64EA49E4E595F53E8194C7582B

SHA256:

37F2019297A4D1EB182C14F1125396491E6F26DBBC9B172B8FE1A2817355BF7D

SSDEEP:

3:N8QLqAQZ3:2Q2AM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • LunaferiesSetup.exe (PID: 6808)
      • LunaferiesSetup.exe (PID: 6996)
      • skip.exe (PID: 1884)
      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)
      • skip.exe (PID: 7368)
      • skip.exe (PID: 7540)

    • Actions looks like stealing of personal data

      • skip.exe (PID: 7832)
      • python.exe (PID: 8952)
      • python.exe (PID: 4828)
      • python.exe (PID: 8040)

    • Changes Windows Defender settings

      • cscript.exe (PID: 7772)
      • cscript.exe (PID: 7212)
      • cmd.exe (PID: 4500)

    • Adds path to the Windows Defender exclusion list

      • cscript.exe (PID: 7772)
      • cscript.exe (PID: 7212)

    • Changes settings for real-time protection

      • powershell.exe (PID: 3696)

    • RAPID has been detected (YARA)

      • skip.exe (PID: 7832)

    • Starts NET.EXE for service management

      • net.exe (PID: 6236)
      • cmd.exe (PID: 4216)

    • Steals credentials from Web Browsers

      • skip.exe (PID: 7832)

    • Deletes shadow copies

      • WMIC.exe (PID: 7240)

    • Get Monitor Information (POWERSHELL)

      • skip.exe (PID: 7832)

    • Create files in the Startup directory

      • cscript.exe (PID: 4788)

    • Suspicious browser debugging (Possible cookie theft)

      • msedge.exe (PID: 2860)
      • msedge.exe (PID: 5012)
      • msedge.exe (PID: 8496)
      • msedge.exe (PID: 6600)
      • msedge.exe (PID: 2392)
      • msedge.exe (PID: 7856)
      • msedge.exe (PID: 9136)
      • msedge.exe (PID: 8792)
      • msedge.exe (PID: 1040)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • LunaferiesSetup.exe (PID: 6808)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • LunaferiesSetup.exe (PID: 6808)

    • Executable content was dropped or overwritten

      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7832)
      • python.exe (PID: 6224)
      • python.exe (PID: 2600)

    • Drops 7-zip archiver for unpacking

      • LunaferiesSetup.exe (PID: 6808)

    • Process drops legitimate windows executable

      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7832)
      • python.exe (PID: 2600)

    • Possible stealing of messenger data

      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)

    • Application launched itself

      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)
      • cmd.exe (PID: 1976)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 1948)

    • Starts CMD.EXE for commands execution

      • skip.exe (PID: 7832)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 1976)
      • cmd.exe (PID: 1948)
      • cmd.exe (PID: 7320)
      • python.exe (PID: 5708)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 8952)
      • python.exe (PID: 8080)
      • python.exe (PID: 8224)
      • python.exe (PID: 6416)
      • python.exe (PID: 4828)
      • python.exe (PID: 7976)
      • python.exe (PID: 1200)
      • python.exe (PID: 8544)
      • python.exe (PID: 8040)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 9148)
      • cmd.exe (PID: 7724)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6916)

    • Starts POWERSHELL.EXE for commands execution

      • cscript.exe (PID: 7772)
      • cscript.exe (PID: 7212)
      • cmd.exe (PID: 4500)
      • cmd.exe (PID: 7764)
      • skip.exe (PID: 7832)
      • cmd.exe (PID: 7812)
      • cmd.exe (PID: 8652)
      • cmd.exe (PID: 7964)
      • cmd.exe (PID: 6956)
      • cmd.exe (PID: 7700)
      • cmd.exe (PID: 4044)

    • Manipulates environment variables

      • powershell.exe (PID: 8520)
      • powershell.exe (PID: 3952)

    • Script adds exclusion path to Windows Defender

      • cscript.exe (PID: 7772)
      • cscript.exe (PID: 7212)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 7772)
      • cscript.exe (PID: 7212)
      • cscript.exe (PID: 5448)
      • cscript.exe (PID: 8400)
      • cscript.exe (PID: 7976)

    • Windows service management via SC.EXE

      • sc.exe (PID: 3544)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 748)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8496)
      • cmd.exe (PID: 7948)
      • cmd.exe (PID: 8736)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 6916)
      • cmd.exe (PID: 5660)
      • cmd.exe (PID: 6600)
      • cmd.exe (PID: 8516)
      • cmd.exe (PID: 7412)

    • Get information on the list of running processes

      • skip.exe (PID: 7832)
      • cmd.exe (PID: 8496)
      • cmd.exe (PID: 4816)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 6916)
      • cmd.exe (PID: 8736)
      • cmd.exe (PID: 7948)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 1948)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 1976)
      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 5660)
      • cmd.exe (PID: 7412)
      • cmd.exe (PID: 6600)
      • cmd.exe (PID: 8516)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4500)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • skip.exe (PID: 7832)

    • Hides command output

      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 1976)
      • cmd.exe (PID: 5204)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 9040)
      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 1948)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 676)
      • cmd.exe (PID: 8576)
      • cmd.exe (PID: 8516)
      • cmd.exe (PID: 6296)
      • cmd.exe (PID: 2016)

    • Kill processes via PowerShell

      • powershell.exe (PID: 876)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 9040)
      • cmd.exe (PID: 9056)
      • cmd.exe (PID: 1760)
      • cmd.exe (PID: 8252)
      • cmd.exe (PID: 5088)
      • cmd.exe (PID: 3552)
      • cmd.exe (PID: 7292)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 876)
      • powershell.exe (PID: 8692)

    • Uses WMIC.EXE to obtain data on processes

      • cmd.exe (PID: 5204)

    • Obfuscation pattern (POWERSHELL)

      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5216)
      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 5920)

    • Decimal command obfuscation (POWERSHELL)

      • skip.exe (PID: 7832)
      • cmd.exe (PID: 7812)
      • cmd.exe (PID: 8652)
      • cmd.exe (PID: 7964)
      • cmd.exe (PID: 6956)
      • cmd.exe (PID: 7700)
      • cmd.exe (PID: 4044)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 7812)
      • powershell.exe (PID: 2248)
      • cmd.exe (PID: 8652)
      • powershell.exe (PID: 5992)
      • cmd.exe (PID: 7964)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5216)
      • cmd.exe (PID: 6956)
      • cmd.exe (PID: 7700)
      • powershell.exe (PID: 4724)
      • cmd.exe (PID: 4044)
      • powershell.exe (PID: 5920)

    • The process drops C-runtime libraries

      • skip.exe (PID: 7832)

    • Process drops python dynamic module

      • skip.exe (PID: 7832)
      • python.exe (PID: 6224)
      • python.exe (PID: 2600)

    • Loads Python modules

      • python.exe (PID: 6224)
      • python.exe (PID: 2600)
      • python.exe (PID: 5708)
      • python.exe (PID: 8952)
      • python.exe (PID: 6416)
      • python.exe (PID: 8080)
      • python.exe (PID: 8224)
      • python.exe (PID: 4828)
      • python.exe (PID: 1200)
      • python.exe (PID: 8544)
      • python.exe (PID: 7976)
      • python.exe (PID: 8040)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 8020)
      • cmd.exe (PID: 676)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 2900)
      • cmd.exe (PID: 8576)
      • cmd.exe (PID: 8516)
      • cmd.exe (PID: 3020)
      • cmd.exe (PID: 8180)
      • cmd.exe (PID: 6296)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 3032)
      • cmd.exe (PID: 6548)

    • Browser headless start

      • msedge.exe (PID: 2860)
      • msedge.exe (PID: 5012)
      • msedge.exe (PID: 3952)
      • msedge.exe (PID: 8496)
      • msedge.exe (PID: 1484)
      • msedge.exe (PID: 6600)
      • msedge.exe (PID: 2392)
      • msedge.exe (PID: 2364)
      • msedge.exe (PID: 7856)
      • msedge.exe (PID: 7860)
      • msedge.exe (PID: 1040)
      • msedge.exe (PID: 9136)
      • msedge.exe (PID: 5808)
      • msedge.exe (PID: 6584)
      • msedge.exe (PID: 8792)

    • Browser sandbox disabling

      • msedge.exe (PID: 2860)
      • msedge.exe (PID: 8496)
      • msedge.exe (PID: 5012)
      • msedge.exe (PID: 6992)
      • msedge.exe (PID: 3952)
      • msedge.exe (PID: 8124)
      • msedge.exe (PID: 5208)
      • msedge.exe (PID: 1484)
      • msedge.exe (PID: 8756)
      • msedge.exe (PID: 8596)
      • msedge.exe (PID: 1908)
      • msedge.exe (PID: 5520)
      • msedge.exe (PID: 6600)
      • msedge.exe (PID: 3500)
      • msedge.exe (PID: 2392)
      • msedge.exe (PID: 2364)
      • msedge.exe (PID: 7916)
      • msedge.exe (PID: 7860)
      • msedge.exe (PID: 1188)
      • msedge.exe (PID: 7568)
      • msedge.exe (PID: 2788)
      • msedge.exe (PID: 1612)
      • msedge.exe (PID: 7372)
      • msedge.exe (PID: 7856)
      • msedge.exe (PID: 9136)
      • msedge.exe (PID: 1040)
      • msedge.exe (PID: 5808)
      • msedge.exe (PID: 8492)
      • msedge.exe (PID: 8792)
      • msedge.exe (PID: 8692)
      • msedge.exe (PID: 7480)
      • msedge.exe (PID: 5896)
      • msedge.exe (PID: 6584)
      • msedge.exe (PID: 1212)
      • msedge.exe (PID: 7532)
      • msedge.exe (PID: 6908)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 9196)

    • Potential Corporate Privacy Violation

      • skip.exe (PID: 7832)

    • Checks for external IP

      • skip.exe (PID: 7832)

    • Possible stealing from crypto wallets

      • skip.exe (PID: 7832)

    • The process executes VB scripts

      • cscript.exe (PID: 5448)
      • cscript.exe (PID: 772)

    • Start notepad (likely ransomware note)

      • WinRAR.exe (PID: 6792)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 9084)
      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)
      • skip.exe (PID: 7368)
      • skip.exe (PID: 7540)
      • python.exe (PID: 6224)
      • python.exe (PID: 5708)
      • python.exe (PID: 2600)
      • python.exe (PID: 8952)
      • identity_helper.exe (PID: 6348)
      • python.exe (PID: 8080)
      • python.exe (PID: 6416)
      • python.exe (PID: 8224)
      • python.exe (PID: 4828)
      • identity_helper.exe (PID: 2864)
      • python.exe (PID: 1200)
      • python.exe (PID: 7976)
      • python.exe (PID: 8544)
      • python.exe (PID: 8040)
      • identity_helper.exe (PID: 8536)

    • The sample compiled with english language support

      • msedge.exe (PID: 7876)
      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7832)
      • python.exe (PID: 2600)

    • Reads the computer name

      • identity_helper.exe (PID: 9084)
      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7832)
      • skip.exe (PID: 7368)
      • skip.exe (PID: 7540)
      • python.exe (PID: 5708)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 8952)
      • identity_helper.exe (PID: 6348)
      • python.exe (PID: 8224)
      • python.exe (PID: 6416)
      • python.exe (PID: 8080)
      • python.exe (PID: 4828)
      • identity_helper.exe (PID: 2864)
      • python.exe (PID: 1200)
      • python.exe (PID: 7976)
      • python.exe (PID: 8544)
      • python.exe (PID: 8040)
      • identity_helper.exe (PID: 8536)

    • Create files in a temporary directory

      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7832)
      • powershell.exe (PID: 8692)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 5708)
      • python.exe (PID: 8952)
      • python.exe (PID: 8080)
      • python.exe (PID: 6416)
      • python.exe (PID: 8224)
      • python.exe (PID: 4828)
      • python.exe (PID: 8544)
      • python.exe (PID: 7976)
      • python.exe (PID: 1200)
      • python.exe (PID: 8040)

    • Application launched itself

      • msedge.exe (PID: 7876)
      • msedge.exe (PID: 2860)
      • msedge.exe (PID: 5012)
      • msedge.exe (PID: 8496)
      • msedge.exe (PID: 2392)
      • msedge.exe (PID: 6600)
      • msedge.exe (PID: 7856)
      • msedge.exe (PID: 1040)
      • msedge.exe (PID: 9136)
      • msedge.exe (PID: 8792)

    • Reads Environment values

      • identity_helper.exe (PID: 9084)
      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)
      • identity_helper.exe (PID: 6348)
      • identity_helper.exe (PID: 2864)
      • identity_helper.exe (PID: 8536)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4424)
      • LunaferiesSetup.exe (PID: 6808)
      • WMIC.exe (PID: 6916)
      • cscript.exe (PID: 7212)
      • cscript.exe (PID: 7772)
      • powershell.exe (PID: 8692)
      • WMIC.exe (PID: 7240)
      • cscript.exe (PID: 4788)
      • cscript.exe (PID: 2236)
      • WMIC.exe (PID: 8100)
      • WMIC.exe (PID: 2432)
      • cscript.exe (PID: 8512)
      • cscript.exe (PID: 8852)
      • cscript.exe (PID: 5448)
      • WMIC.exe (PID: 5696)
      • cscript.exe (PID: 8080)
      • cscript.exe (PID: 8400)
      • WMIC.exe (PID: 4784)
      • cscript.exe (PID: 772)
      • WMIC.exe (PID: 7788)
      • WMIC.exe (PID: 8240)
      • notepad.exe (PID: 2784)
      • WinRAR.exe (PID: 6792)
      • notepad.exe (PID: 6864)
      • notepad.exe (PID: 3032)
      • cscript.exe (PID: 7976)

    • Creates files in the program directory

      • LunaferiesSetup.exe (PID: 6808)

    • Creates a software uninstall entry

      • LunaferiesSetup.exe (PID: 6808)

    • Manual execution by a user

      • skip.exe (PID: 1884)
      • skip.exe (PID: 2416)
      • notepad++.exe (PID: 8600)
      • notepad++.exe (PID: 4340)
      • notepad.exe (PID: 5108)
      • msedge.exe (PID: 8496)
      • msedge.exe (PID: 7856)
      • msedge.exe (PID: 8792)
      • WinRAR.exe (PID: 6792)
      • notepad++.exe (PID: 5996)

    • Reads product name

      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)

    • Drops script file

      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 2416)
      • skip.exe (PID: 7832)
      • cscript.exe (PID: 7772)
      • powershell.exe (PID: 8520)
      • powershell.exe (PID: 3952)
      • cscript.exe (PID: 7212)
      • powershell.exe (PID: 3696)
      • powershell.exe (PID: 876)
      • powershell.exe (PID: 8692)
      • cscript.exe (PID: 4788)
      • cscript.exe (PID: 2236)
      • powershell.exe (PID: 2248)
      • powershell.exe (PID: 5992)
      • python.exe (PID: 2600)
      • python.exe (PID: 5708)
      • python.exe (PID: 6224)
      • notepad++.exe (PID: 8600)
      • python.exe (PID: 8952)
      • cscript.exe (PID: 8512)
      • cscript.exe (PID: 8852)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5216)
      • python.exe (PID: 6416)
      • cscript.exe (PID: 5448)
      • python.exe (PID: 8224)
      • python.exe (PID: 8080)
      • python.exe (PID: 4828)
      • cscript.exe (PID: 772)
      • cscript.exe (PID: 8080)
      • cscript.exe (PID: 8400)
      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 5920)
      • python.exe (PID: 8544)
      • python.exe (PID: 1200)
      • python.exe (PID: 7976)
      • python.exe (PID: 8040)
      • cscript.exe (PID: 7976)
      • notepad++.exe (PID: 5996)

    • Creates files or folders in the user directory

      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7832)
      • cscript.exe (PID: 4788)
      • python.exe (PID: 2600)
      • python.exe (PID: 5708)
      • python.exe (PID: 6224)
      • python.exe (PID: 8080)
      • python.exe (PID: 6416)
      • python.exe (PID: 8224)
      • python.exe (PID: 7976)
      • python.exe (PID: 8544)
      • python.exe (PID: 1200)

    • There is functionality for taking screenshot (YARA)

      • LunaferiesSetup.exe (PID: 6808)
      • skip.exe (PID: 7368)

    • Checks proxy server information

      • skip.exe (PID: 7832)
      • python.exe (PID: 5708)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • slui.exe (PID: 6416)
      • python.exe (PID: 6416)
      • python.exe (PID: 8080)
      • python.exe (PID: 8224)
      • python.exe (PID: 1200)
      • python.exe (PID: 7976)
      • python.exe (PID: 8544)

    • Reads the machine GUID from the registry

      • skip.exe (PID: 7832)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 5708)
      • python.exe (PID: 8952)
      • python.exe (PID: 8080)
      • python.exe (PID: 8224)
      • python.exe (PID: 6416)
      • python.exe (PID: 4828)
      • python.exe (PID: 1200)
      • python.exe (PID: 7976)
      • python.exe (PID: 8544)
      • python.exe (PID: 8040)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8520)
      • powershell.exe (PID: 3952)
      • powershell.exe (PID: 3696)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8520)
      • powershell.exe (PID: 3952)
      • powershell.exe (PID: 3696)

    • FOR cycle in command line

      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 1976)
      • cmd.exe (PID: 1948)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8692)

    • Process checks computer location settings

      • skip.exe (PID: 7832)

    • Launching a file from the Startup directory

      • cscript.exe (PID: 4788)

    • Python executable

      • python.exe (PID: 5708)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 8952)
      • python.exe (PID: 8080)
      • python.exe (PID: 6416)
      • python.exe (PID: 8224)
      • python.exe (PID: 4828)
      • python.exe (PID: 7976)
      • python.exe (PID: 8544)
      • python.exe (PID: 1200)
      • python.exe (PID: 8040)

    • Node.js compiler has been detected

      • skip.exe (PID: 7832)
      • skip.exe (PID: 7368)
      • skip.exe (PID: 7540)

    • Checks operating system version

      • python.exe (PID: 5708)
      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 8224)
      • python.exe (PID: 8080)
      • python.exe (PID: 6416)
      • python.exe (PID: 8544)
      • python.exe (PID: 7976)
      • python.exe (PID: 1200)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 2600)
      • python.exe (PID: 6224)
      • python.exe (PID: 5708)
      • python.exe (PID: 8080)
      • python.exe (PID: 8224)
      • python.exe (PID: 6416)
      • python.exe (PID: 7976)
      • python.exe (PID: 1200)
      • python.exe (PID: 8544)

    • Reads CPU info

      • skip.exe (PID: 7832)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7832) skip.exe
Discord-Webhook-Tokens (1)1459172095824105588/8menVSR9wGMGeOYIPXgvc1sZgJ_E0iwyCfsoHmcFq_MlRVRFRyc7OYfjpBOT907wkTEg
Discord-Info-Links
1459172095824105588/8menVSR9wGMGeOYIPXgvc1sZgJ_E0iwyCfsoHmcFq_MlRVRFRyc7OYfjpBOT907wkTEg
Get Webhook Infohttps://discord.com/api/webhooks/1459172095824105588/8menVSR9wGMGeOYIPXgvc1sZgJ_E0iwyCfsoHmcFq_MlRVRFRyc7OYfjpBOT907wkTEg
Discord-Webhook-Tokens (2)1446172674832334870/CGqSWZ2SjEJ_UgVHL5GZ_uRiiDhGjMMYKT2Ol8ozLrefGEYiOtD6SlgYvIcG3yNcQQk_
1459172095824105588/8menVSR9wGMGeOYIPXgvc1sZgJ_E0iwyCfsoHmcFq_MlRVRFRyc7OYfjpBOT907wkTEg
Discord-Info-Links
1446172674832334870/CGqSWZ2SjEJ_UgVHL5GZ_uRiiDhGjMMYKT2Ol8ozLrefGEYiOtD6SlgYvIcG3yNcQQk_
Get Webhook Infohttps://discord.com/api/webhooks/1446172674832334870/CGqSWZ2SjEJ_UgVHL5GZ_uRiiDhGjMMYKT2Ol8ozLrefGEYiOtD6SlgYvIcG3yNcQQk_
1459172095824105588/8menVSR9wGMGeOYIPXgvc1sZgJ_E0iwyCfsoHmcFq_MlRVRFRyc7OYfjpBOT907wkTEg
Get Webhook Infohttps://discord.com/api/webhooks/1459172095824105588/8menVSR9wGMGeOYIPXgvc1sZgJ_E0iwyCfsoHmcFq_MlRVRFRyc7OYfjpBOT907wkTEg
Discord-Webhook-Tokens (1)1446172674832334870/CGqSWZ2SjEJ_UgVHL5GZ_uRiiDhGjMMYKT2Ol8ozLrefGEYiOtD6SlgYvIcG3yNcQQk_
Discord-Info-Links
1446172674832334870/CGqSWZ2SjEJ_UgVHL5GZ_uRiiDhGjMMYKT2Ol8ozLrefGEYiOtD6SlgYvIcG3yNcQQk_
Get Webhook Infohttps://discord.com/api/webhooks/1446172674832334870/CGqSWZ2SjEJ_UgVHL5GZ_uRiiDhGjMMYKT2Ol8ozLrefGEYiOtD6SlgYvIcG3yNcQQk_
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
498
Monitored processes
337
Malicious processes
29
Suspicious processes
29

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs lunaferiessetup.exe no specs lunaferiessetup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs skip.exe no specs skip.exe #RAPID skip.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs skip.exe no specs skip.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs powershell.exe no specs conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs findstr.exe no specs wmic.exe no specs tasklist.exe no specs findstr.exe no specs powershell.exe no specs tasklist.exe no specs tasklist.exe no specs findstr.exe no specs findstr.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs python.exe python.exe python.exe conhost.exe no specs conhost.exe no specs conhost.exe no specs notepad++.exe msedge.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs notepad++.exe msedge.exe no specs msedge.exe no specs notepad.exe no specs msedge.exe no specs python.exe conhost.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs python.exe conhost.exe no specs python.exe python.exe conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs python.exe conhost.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs python.exe python.exe conhost.exe no specs python.exe conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs python.exe conhost.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs winrar.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4264,i,14311594116055570061,12895129663204757486,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
676C:\WINDOWS\system32\cmd.exe /c taskkill /f /im chrome.exe >nul 2>&1C:\Windows\System32\cmd.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
748C:\WINDOWS\system32\cmd.exe /d /s /c "sc config node DisplayName= "Background Tasks Host""C:\Windows\System32\cmd.exeskip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
752taskkill /IM Steam.exe /FC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
772cscript //nologo "C:\Users\admin\AppData\Local\Temp\sysZxammz256.vbs"C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
824"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7916,i,14311594116055570061,12895129663204757486,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=8156 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x27c,0x280,0x284,0x278,0x28c,0x7ffd6f53f208,0x7ffd6f53f214,0x7ffd6f53f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
876powershell -c "Get-Process Discord* -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1036taskkill /f /im chrome.exe C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
81 356
Read events
81 315
Write events
41
Delete events
0

Modification events

(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Lunaferies.zip
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6808) LunaferiesSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7fd7bd50-c368-5cf6-884d-113942d8f9ae
Operation:writeName:InstallLocation
Value:
C:\Program Files\skip
(PID) Process:(6808) LunaferiesSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7fd7bd50-c368-5cf6-884d-113942d8f9ae
Operation:writeName:KeepShortcuts
Value:
true
Executable files
170
Suspicious files
4 194
Text files
2 745
Unknown types
207

Dropped files

PID
Process
Filename
Type
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e5263.TMP
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1e5263.TMP
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1e5263.TMP
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e5273.TMP
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1e5283.TMP
MD5:
SHA256:
7876msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
129
TCP/UDP connections
151
DNS requests
127
Threats
97

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5308
msedge.exe
GET
206
185.61.152.19:443
https://lunaferies.com/Timeline%201.mp4
US
unknown
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
313 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
5308
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=66&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
text
4.47 Kb
whitelisted
5308
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
446 b
whitelisted
5308
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
25 b
whitelisted
5308
msedge.exe
GET
200
185.61.152.19:443
https://lunaferies.com/
US
html
53.6 Kb
unknown
5308
msedge.exe
GET
200
185.61.152.19:443
https://lunaferies.com/s2.jpg
US
image
352 Kb
unknown
5308
msedge.exe
GET
200
185.61.152.19:443
https://lunaferies.com/s1.jpg
US
image
563 Kb
unknown
5308
msedge.exe
GET
200
185.61.152.19:443
https://lunaferies.com/s3.jpg
US
image
557 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7428
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8124
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
184.86.251.12:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5308
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5308
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
  • 13.69.239.72
whitelisted
google.com
  • 172.217.16.174
whitelisted
www.bing.com
  • 184.86.251.12
  • 184.86.251.19
  • 184.86.251.15
  • 184.86.251.14
  • 184.86.251.24
  • 184.86.251.16
  • 184.86.251.13
  • 184.86.251.23
  • 184.86.251.22
  • 2.16.204.159
  • 2.16.204.155
  • 2.16.204.158
  • 2.16.204.153
  • 2.16.204.157
  • 2.16.204.147
  • 2.16.204.152
  • 2.16.204.156
  • 2.16.204.151
  • 2.16.204.150
  • 2.16.204.145
  • 2.16.204.146
  • 2.16.204.143
  • 2.16.204.142
  • 2.16.204.138
  • 2.16.204.148
  • 2.16.204.135
  • 2.16.204.134
  • 2.16.204.160
  • 2.16.204.141
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
lunaferies.com
  • 185.61.152.19
unknown

Threats

PID
Process
Class
Message
5308
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5308
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5308
msedge.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
5308
msedge.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
5308
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5308
msedge.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
5308
msedge.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
5308
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5308
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
5308
msedge.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Process
Message
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://lunaferies.com/