File name:

Lunar Client - Installer.exe

Full analysis: https://app.any.run/tasks/e93ed6f4-ba19-4ba1-b7ad-3e210bf481be
Verdict: Malicious activity
Analysis date: July 12, 2025, 08:14:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
nodejs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

4CEABA2E1911F25ADCED5CA0CE5DDC10

SHA1:

E4200BE9D4762B963B5618F2FA519C0C490C1255

SHA256:

D1A6622AAA2F235F7526414B6B7673E74332F080F930C66AB5C846A3E4E4532F

SSDEEP:

98304:g1/zJgc0J/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhBIHsCE+1mcMRwSMRwgF9Rw:+YAR5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • Lunar Client.exe (PID: 6140)

    • Changes the autorun value in the registry

      • reg.exe (PID: 5080)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Lunar Client - Installer.exe (PID: 6852)
      • ow-electron-setup.exe (PID: 7156)

    • The process creates files with name similar to system file names

      • Lunar Client - Installer.exe (PID: 6852)
      • ow-electron-setup.exe (PID: 7156)

    • Executable content was dropped or overwritten

      • Lunar Client - Installer.exe (PID: 6852)
      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 6140)

    • Drops 7-zip archiver for unpacking

      • Lunar Client - Installer.exe (PID: 6852)
      • ow-electron-setup.exe (PID: 7156)

    • Reads the date of Windows installation

      • OWInstaller.exe (PID: 2044)

    • Reads security settings of Internet Explorer

      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)

    • Reads Internet Explorer settings

      • OWInstaller.exe (PID: 2044)

    • There is functionality for taking screenshot (YARA)

      • Lunar Client - Installer.exe (PID: 6852)

    • Reads Microsoft Outlook installation path

      • OWInstaller.exe (PID: 2044)

    • Get information on the list of running processes

      • ow-electron-setup.exe (PID: 7156)
      • cmd.exe (PID: 5600)

    • Starts CMD.EXE for commands execution

      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)

    • Process drops legitimate windows executable

      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 6140)

    • Creates a software uninstall entry

      • ow-electron-setup.exe (PID: 7156)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2276)

    • Application launched itself

      • Lunar Client.exe (PID: 6140)

    • Starts POWERSHELL.EXE for commands execution

      • Lunar Client.exe (PID: 6140)

    • The process hides Powershell's copyright startup banner

      • Lunar Client.exe (PID: 6140)

    • The process bypasses the loading of PowerShell profile settings

      • Lunar Client.exe (PID: 6140)

    • Uses REG/REGEDIT.EXE to modify registry

      • Lunar Client.exe (PID: 6140)

    • The process drops C-runtime libraries

      • Lunar Client.exe (PID: 6140)

  • INFO

    • Checks supported languages

      • Lunar Client - Installer.exe (PID: 6852)
      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)
      • chcp.com (PID: 1352)
      • Lunar Client.exe (PID: 6780)
      • Lunar Client.exe (PID: 1564)
      • Lunar Client.exe (PID: 6812)
      • Lunar Client.exe (PID: 6348)
      • Lunar Client.exe (PID: 1512)
      • Lunar Client.exe (PID: 4100)
      • Lunar Client.exe (PID: 728)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 6768)
      • Lunar Client.exe (PID: 3860)
      • Lunar Client.exe (PID: 4540)
      • Lunar Client.exe (PID: 3964)
      • Lunar Client.exe (PID: 6688)

    • The sample compiled with english language support

      • Lunar Client - Installer.exe (PID: 6852)
      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 6140)

    • Creates files or folders in the user directory

      • Lunar Client - Installer.exe (PID: 6852)
      • OWInstaller.exe (PID: 2044)
      • dxdiag.exe (PID: 3028)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 1512)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 1564)
      • Lunar Client.exe (PID: 728)
      • dxdiag.exe (PID: 4764)

    • Create files in a temporary directory

      • Lunar Client - Installer.exe (PID: 6852)
      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)
      • dxdiag.exe (PID: 4764)

    • Reads the computer name

      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 1564)
      • Lunar Client.exe (PID: 6812)
      • Lunar Client.exe (PID: 6780)
      • Lunar Client.exe (PID: 728)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 3860)

    • Reads the machine GUID from the registry

      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 6780)
      • Lunar Client.exe (PID: 728)

    • Disables trace logs

      • OWInstaller.exe (PID: 2044)

    • Reads Environment values

      • OWInstaller.exe (PID: 2044)
      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 6780)
      • Lunar Client.exe (PID: 5564)

    • Reads the software policy settings

      • OWInstaller.exe (PID: 2044)
      • dxdiag.exe (PID: 3028)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6812)
      • dxdiag.exe (PID: 4764)
      • slui.exe (PID: 7132)

    • Process checks computer location settings

      • OWInstaller.exe (PID: 2044)
      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 6348)
      • Lunar Client.exe (PID: 4100)
      • Lunar Client.exe (PID: 5564)
      • Lunar Client.exe (PID: 6768)
      • Lunar Client.exe (PID: 4540)
      • Lunar Client.exe (PID: 3964)
      • Lunar Client.exe (PID: 6688)

    • Reads product name

      • OWInstaller.exe (PID: 2044)
      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 5564)

    • Reads security settings of Internet Explorer

      • dxdiag.exe (PID: 3028)
      • dxdiag.exe (PID: 4764)

    • Checks proxy server information

      • dxdiag.exe (PID: 3028)
      • OWInstaller.exe (PID: 2044)
      • ow-electron-setup.exe (PID: 7156)
      • Lunar Client.exe (PID: 6140)
      • slui.exe (PID: 7132)

    • Manual execution by a user

      • Lunar Client.exe (PID: 6140)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2276)

    • Reads CPU info

      • Lunar Client.exe (PID: 6140)

    • Launching a file from a Registry key

      • reg.exe (PID: 5080)

    • Node.js compiler has been detected

      • Lunar Client.exe (PID: 6140)
      • Lunar Client.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.282.1.1
ProductVersionNumber: 2.282.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: Lunar Client
FileVersion: 2.282.1.1
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: Lunar Client
ProductVersion: 2.282.1.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
40
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start lunar client - installer.exe owinstaller.exe dxdiag.exe ow-electron-setup.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs lunar client.exe cmd.exe no specs conhost.exe no specs chcp.com no specs lunar client.exe no specs lunar client.exe no specs lunar client.exe lunar client.exe reg.exe no specs conhost.exe no specs lunar client.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs reg.exe conhost.exe no specs lunar client.exe no specs lunar client.exe cmd.exe no specs lunar client.exe no specs conhost.exe no specs dxdiag.exe no specs lunar client.exe no specs lunar client.exe no specs slui.exe lunar client.exe no specs lunar client.exe no specs lunar client.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728"C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --user-data-dir="C:\Users\admin\AppData\Roaming\lunarclient" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2936,i,16022232492326053123,6977278216560941603,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:8C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exeLunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Electron launcher for Lunar Client
Exit code:
0
Version:
3.4.3-ow
Modules
Images
c:\users\admin\appdata\local\programs\lunar client\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
868\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1352chcpC:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1512"C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Roaming\lunarclient /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Roaming\lunarclient\Crashpad --url=https://f.a.k/e --annotation=_productName=lunarclient --annotation=_version=3.4.3-ow --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=31.7.12 --initial-client-data=0x584,0x57c,0x590,0x574,0x5a8,0x7ff630b6d938,0x7ff630b6d944,0x7ff630b6d950C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exeLunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Electron launcher for Lunar Client
Version:
3.4.3-ow
Modules
Images
c:\users\admin\appdata\local\programs\lunar client\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\programs\lunar client\ffmpeg.dll
c:\windows\system32\combase.dll
1564"C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\lunarclient" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --field-trial-handle=2216,i,16022232492326053123,6977278216560941603,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3C:\Users\admin\AppData\Local\Programs\Lunar Client\Lunar Client.exe
Lunar Client.exe
User:
admin
Company:
Moonsworth LLC
Integrity Level:
MEDIUM
Description:
Electron launcher for Lunar Client
Version:
3.4.3-ow
Modules
Images
c:\users\admin\appdata\local\programs\lunar client\lunar client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2044"C:\Users\admin\AppData\Local\Temp\nsq519B.tmp\OWinstaller.exe" Sel=0&Extension=jilehohlakeokncafogkgnicgndeecdiengddbcc&UtmSource=client-site&UtmMedium=download-page&UtmCampaign=direct&Referer=www.lunarclient.com&Browser=firefox -partnerCustomizationLevel 1 -customPromoPages --owelectronUrl=https://launcherupdates.lunarclientcdn.com/latest-ow.yml -AllowWindowsInsider --disable-change-location --disable-ow-shortcut-ui --disable-app-shortcut-ui --enable-app-shortcut --eula-url=https://www.lunarclient.com/terms --privacy-url=https://www.lunarclient.com/privacy --silent-setup --app-name="Lunar Client" --auto-close -exepath C:\Users\admin\AppData\Local\Temp\Lunar Client - Installer.exe C:\Users\admin\AppData\Local\Temp\nsq519B.tmp\OWInstaller.exe
Lunar Client - Installer.exe
User:
admin
Company:
Overwolf
Integrity Level:
MEDIUM
Description:
Lunar Client Installer
Exit code:
0
Version:
2.282.0.1
Modules
Images
c:\users\admin\appdata\local\temp\nsq519b.tmp\owinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2276C:\WINDOWS\system32\cmd.exe /d /s /c "chcp"C:\Windows\System32\cmd.exeLunar Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3028"C:\WINDOWS\System32\DxDiag.exe" /xC:\Users\admin\AppData\Local\Overwolf\Temp\DxDiagOutput.xmlC:\Windows\System32\dxdiag.exe
OWInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft DirectX Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
32 068
Read events
31 844
Write events
166
Delete events
58

Modification events

(PID) Process:(3028) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:writeName:DxDiag In SystemInfo
Value:
1
(PID) Process:(2044) OWInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\OverwolfPersist
Operation:writeName:MUIDV2
Value:
114813ec-b2c8-4dc9-9eac-49eb87141eef
(PID) Process:(2044) OWInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\OverwolfElectron
Operation:writeName:MUID
Value:
bb926e54-e3ca-40fd-ae90-2764341e7792
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2044) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
174
Suspicious files
7 763
Text files
5 486
Unknown types
2

Dropped files

PID
Process
Filename
Type
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\UserInfo.dllexecutable
MD5:1DD4CA0F4A94155F8D46EC95A20ADA4A
SHA256:A27DC3069793535CB64123C27DCA8748983D133C8FA5AADDEE8CDBC83F16986D
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\uac.dllexecutable
MD5:861F7E800BB28F68927E65719869409C
SHA256:10A0E8CF46038AB3B2C3CF5DCE407B9A043A631CBDE9A5C8BCF0A54B2566C010
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\nsProcess.dllexecutable
MD5:10E47E822B85D2A12FA4727001612182
SHA256:D530589A90918334B8E08D7355630892DD62F41333D948A860735D5BECFCB391
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\SharpRaven.dllexecutable
MD5:271251960BF1D6A491803E15BD562E45
SHA256:776C6B0642F7A3F3F3AD3CC6BB5F1D528E90C6029B671D8F82B0320B185B92A7
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\CommandLine.dllexecutable
MD5:210472E9E333D3329072C9EA3EF06326
SHA256:569307401B949368527B128155B4E16B349803EC7D65C1052CC23C7B7A1336D8
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\nsis7z.dllexecutable
MD5:E529462E7983C88D4BF04546BB372549
SHA256:BF2290AA25F09A18698321891E077B433554FDAAF37CD908B10BC3E3AD01F8A8
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\utils.dllexecutable
MD5:C6B46A5FCDCCBF3AEFF930B1E5B383D4
SHA256:251AB3E2690562DCFCD510642607F206E6DCF626D06D94B74E1FA8297B1050A0
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\System.dllexecutable
MD5:51BD16A2EA23AE1E7A92CEDC6785C82E
SHA256:4DBC79D2B1C7987CC64BB5D014DB81BB5108BDD6D8BF3A5F820FAC1DED62BE33
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\websocket-sharp.dllexecutable
MD5:1B4FCDE3554ED9CA14E8E7C3A1706FB3
SHA256:B152284FD1EF5CEBEE56802F13B46DEF7C136F0C50FB173AE29CF0648BB4CB1F
6852Lunar Client - Installer.exeC:\Users\admin\AppData\Local\Temp\nsq519B.tmp\DotNetZip.dllexecutable
MD5:190E712F2E3B065BA3D5F63CB9B7725E
SHA256:6C512D9943A225D686B26FC832589E4C8BEF7C4DD0A8BDFD557D5D27FE5BBA0F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
718
DNS requests
789
Threats
447

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2044
OWInstaller.exe
GET
200
142.250.185.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=334802727&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=560947759&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1872131902.1752308088.1752308088.1752308088.2%3B%2B__utmz%3D0.1752308088.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event
unknown
whitelisted
2044
OWInstaller.exe
GET
200
142.250.185.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=529987467&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=656924905&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1872131902.1752308088.1752308088.1752308088.2%3B%2B__utmz%3D0.1752308088.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event
unknown
whitelisted
2044
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEnA9eVH9TrLXPKuCavuqCA0%3D
unknown
whitelisted
2044
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
whitelisted
2044
OWInstaller.exe
GET
200
216.58.212.163:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEGV6UilsoU6FEuJGupqjg48%3D
unknown
whitelisted
2044
OWInstaller.exe
GET
200
216.58.206.67:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
2044
OWInstaller.exe
GET
200
216.58.206.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
2044
OWInstaller.exe
GET
200
216.58.212.163:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCHQSEwgrwWwBLDeGM1kMKa
unknown
whitelisted
3028
dxdiag.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3028
dxdiag.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6732
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2044
OWInstaller.exe
104.18.28.96:443
launcherupdates.lunarclientcdn.com
CLOUDFLARENET
unknown
2044
OWInstaller.exe
142.250.185.238:80
www.google-analytics.com
GOOGLE
US
whitelisted
2044
OWInstaller.exe
18.244.18.46:443
analyticsnew.overwolf.com
US
whitelisted
2044
OWInstaller.exe
18.245.86.117:443
content.overwolf.com
US
whitelisted
2044
OWInstaller.exe
18.245.38.41:80
ocsp.rootca3.amazontrust.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
launcherupdates.lunarclientcdn.com
  • 104.18.28.96
  • 104.18.29.96
unknown
www.google-analytics.com
  • 142.250.185.238
whitelisted
analyticsnew.overwolf.com
  • 18.244.18.46
  • 18.244.18.106
  • 18.244.18.56
  • 18.244.18.51
whitelisted
content.overwolf.com
  • 18.245.86.117
  • 18.245.86.110
  • 18.245.86.78
  • 18.245.86.39
whitelisted
ocsp.rootca3.amazontrust.com
  • 18.245.38.41
whitelisted
storeapi.overwolf.com
  • 18.172.112.117
  • 18.172.112.84
  • 18.172.112.62
  • 18.172.112.72
shared
console-apps.overwolf.com
  • 18.66.122.9
  • 18.66.122.24
  • 18.66.122.63
  • 18.66.122.107
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.245.38.41
whitelisted

Threats

PID
Process
Class
Message
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
1564
Lunar Client.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lunar Client - Installer.exe