File name:

LunarClientv3.2.12.exe

Full analysis: https://app.any.run/tasks/eead817e-0622-4841-bed3-a9017f005b22
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 02, 2024, 21:52:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

82D01CE70A37C0F7505A0E3BCE1EE6FB

SHA1:

84AAE712EE1A7127DA3FE3609CAE99714C76266F

SHA256:

4CC80E8815C86FECCB71CBC70CF85B73EAE03BDA0DB4582EEE542AFB5DFB360F

SSDEEP:

24576:y6vSLofER+unwiPyu6Nm14HyNt85nq2O6vhCmSxbv0kFgQ0Qh1lhUqFz9553ONQF:y6aL2ER+unwiPyu6Nm14HyNt85q2O6Z4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2248)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • LunarClientv3.2.12.exe (PID: 6152)

    • Process drops legitimate windows executable

      • LunarClientv3.2.12.exe (PID: 6152)

    • Creates a software uninstall entry

      • LunarClientv3.2.12.exe (PID: 6152)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • LunarClientv3.2.12.exe (PID: 6152)

    • Executable content was dropped or overwritten

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)

    • Checks Windows Trust Settings

      • LunarClientv3.2.12.exe (PID: 6152)

    • Starts CMD.EXE for commands execution

      • Lunar Client.exe (PID: 6276)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1020)

    • Application launched itself

      • Lunar Client.exe (PID: 6276)

    • Uses REG/REGEDIT.EXE to modify registry

      • Lunar Client.exe (PID: 6276)

    • Reads security settings of Internet Explorer

      • LunarClientv3.2.12.exe (PID: 6152)

    • Drops 7-zip archiver for unpacking

      • LunarClientv3.2.12.exe (PID: 6152)

  • INFO

    • Checks supported languages

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)
      • chcp.com (PID: 2228)
      • Lunar Client.exe (PID: 2360)
      • Lunar Client.exe (PID: 1288)
      • Lunar Client.exe (PID: 6892)
      • Lunar Client.exe (PID: 2056)
      • Lunar Client.exe (PID: 6256)

    • Creates files or folders in the user directory

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)
      • Lunar Client.exe (PID: 2056)
      • Lunar Client.exe (PID: 1288)

    • Reads the computer name

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)
      • Lunar Client.exe (PID: 2360)
      • Lunar Client.exe (PID: 1288)

    • Checks proxy server information

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)

    • Create files in a temporary directory

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)

    • Reads the machine GUID from the registry

      • LunarClientv3.2.12.exe (PID: 6152)
      • Lunar Client.exe (PID: 6276)

    • Reads the software policy settings

      • LunarClientv3.2.12.exe (PID: 6152)

    • Reads product name

      • Lunar Client.exe (PID: 6276)

    • Manual execution by a user

      • Lunar Client.exe (PID: 6276)

    • Reads Environment values

      • Lunar Client.exe (PID: 6276)

    • Process checks computer location settings

      • Lunar Client.exe (PID: 6276)
      • Lunar Client.exe (PID: 6892)
      • Lunar Client.exe (PID: 6256)

    • Changes the display of characters in the console

      • chcp.com (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.2.12.0
ProductVersionNumber: 3.2.12.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Moonsworth LLC
FileDescription: Electron launcher for Lunar Client
FileVersion: 3.2.12
LegalCopyright: Copyright © 2024 Moonsworth LLC
ProductName: Lunar Client
ProductVersion: 3.2.12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
14
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start lunarclientv3.2.12.exe lunar client.exe cmd.exe no specs conhost.exe no specs chcp.com no specs lunar client.exe no specs lunar client.exe no specs reg.exe no specs lunar client.exe conhost.exe no specs lunar client.exe no specs reg.exe conhost.exe no specs lunar client.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020C:\WINDOWS\system32\cmd.exe /d /s /c "chcp"C:\Windows\System32\cmd.exeLunar Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1288"C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\lunarclient" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2188 --field-trial-handle=1952,i,17531992575867385165,5650226101873455728,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exe
Lunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Lunar Client
Version:
3.2.12
Modules
Images
c:\users\admin\appdata\local\programs\lunarclient\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2056"C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Roaming\lunarclient /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Roaming\lunarclient\Crashpad --url=https://f.a.k/e --annotation=_productName=lunarclient --annotation=_version=3.2.12 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.10 --initial-client-data=0x568,0x50c,0x548,0x53c,0x540,0x7ff7b2c0f688,0x7ff7b2c0f694,0x7ff7b2c0f6a0C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exeLunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Lunar Client
Version:
3.2.12
Modules
Images
c:\users\admin\appdata\local\programs\lunarclient\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2228chcpC:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2248C:\WINDOWS\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Lunar Client" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exe\" --hidden" /fC:\Windows\System32\reg.exe
Lunar Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2360"C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\lunarclient" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1948 --field-trial-handle=1952,i,17531992575867385165,5650226101873455728,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exeLunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
LOW
Description:
Lunar Client
Version:
3.2.12
Modules
Images
c:\users\admin\appdata\local\programs\lunarclient\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6152"C:\Users\admin\Desktop\LunarClientv3.2.12.exe" C:\Users\admin\Desktop\LunarClientv3.2.12.exe
explorer.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Electron launcher for Lunar Client
Exit code:
0
Version:
3.2.12
Modules
Images
c:\users\admin\desktop\lunarclientv3.2.12.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6256"C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\lunarclient" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.moonsworth.client --app-path="C:\Users\admin\AppData\Local\Programs\lunarclient\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3948 --field-trial-handle=1952,i,17531992575867385165,5650226101873455728,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1C:\Users\admin\AppData\Local\Programs\lunarclient\Lunar Client.exeLunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Lunar Client
Version:
3.2.12
Modules
Images
c:\users\admin\appdata\local\programs\lunarclient\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 624
Read events
10 577
Write events
29
Delete events
18

Modification events

(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\1fcec38f-e773-5444-8669-32b8eb41524b
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\lunarclient
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\1fcec38f-e773-5444-8669-32b8eb41524b
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(6152) LunarClientv3.2.12.exeKey:HKEY_CURRENT_USER\SOFTWARE\1fcec38f-e773-5444-8669-32b8eb41524b
Operation:writeName:ShortcutName
Value:
Lunar Client
Executable files
25
Suspicious files
228
Text files
20
Unknown types
2

Dropped files

PID
Process
Filename
Type
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\lunarclient-3.2.12-x64.nsis[1].7z
MD5:
SHA256:
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\package.7z
MD5:
SHA256:
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\7z-out\icudtl.dat
MD5:
SHA256:
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\StdUtils.dllexecutable
MD5:C6A6E03F77C313B267498515488C5740
SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\7z-out\locales\ar.pakbinary
MD5:2B2DFAFB0D258C1D2B58E51AE1EE9AB5
SHA256:EA49BC2CEB6B185030EAA0EE0155FECA90E632390417299113B02FBE365FF731
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\7z-out\locales\af.pakbinary
MD5:862A2262D0E36414ABBAE1D9DF0C7335
SHA256:57670EAE6D1871E648AD6148125EE82D08575BEC5B323459FC14C3831570774A
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\7z-out\chrome_200_percent.pakbinary
MD5:47668AC5038E68A565E0A9243DF3C9E5
SHA256:FAC820A98B746A04CE14EC40C7268D6A58819133972B538F9720A5363C862E32
6152LunarClientv3.2.12.exeC:\Users\admin\AppData\Local\Temp\nshABF8.tmp\7z-out\locales\de.pakbinary
MD5:141045FC1F94F93E82DB06DB4F7321C8
SHA256:47253E2FCF0E4691F29B3EBBE8F888A97B28D6AEAF73AB000857A6B8D0907FF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
49
DNS requests
11
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
104.18.29.96:443
https://launcherupdates.lunarclientcdn.com/lunarclient-3.2.17-x64.nsis.7z
unknown
unknown
GET
200
104.18.29.96:443
https://launcherupdates.lunarclientcdn.com/lunarclient-3.2.12-x64.nsis.7z
unknown
compressed
80.8 Mb
unknown
GET
200
104.18.29.96:443
https://launcherupdates.lunarclientcdn.com/Lunar%20Client%20v3.2.17.exe
unknown
executable
848 Kb
unknown
GET
200
104.18.28.96:443
https://launcherupdates.lunarclientcdn.com/latest.yml?noCache=1i6qblp90
unknown
text
569 b
unknown
GET
200
104.18.31.194:443
https://skins.mcstats.com/body/front/astronaut?enableCosmeticType=cloak
unknown
image
6.09 Kb
unknown
GET
206
104.18.28.96:443
https://launcherupdates.lunarclientcdn.com/lunarclient-3.2.17-x64.nsis.7z
unknown
binary
87.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4316
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6428
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4316
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6152
LunarClientv3.2.12.exe
104.18.29.96:443
launcherupdates.lunarclientcdn.com
CLOUDFLARENET
suspicious
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
launcherupdates.lunarclientcdn.com
  • 104.18.29.96
  • 104.18.28.96
unknown
api.lunarclientprod.com
  • 104.18.29.130
  • 104.18.28.130
unknown
analytics.lunarclientprod.com
  • 104.18.28.130
  • 104.18.29.130
unknown
skins.mcstats.com
  • 104.18.30.194
  • 104.18.31.194
unknown
lunarclient.com
  • 104.18.12.46
  • 104.18.13.46
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LunarClientv3.2.12.exe