| File name: | Lunar-Client-Lite-Launcher-1.6.4.zip |
| Full analysis: | https://app.any.run/tasks/3093cd36-4888-4e49-b660-e5d48c4ac3b8 |
| Verdict: | Malicious activity |
| Analysis date: | April 28, 2025, 11:47:13 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 3889BCD6BB1B9D81197230FA5D499F87 |
| SHA1: | B2D2ECCF281F12D1F3B11341D883C9624813972A |
| SHA256: | E7FBAD58C68784D09B1030BE68B73497611E7039B863B06254A0208F3E975288 |
| SSDEEP: | 6144:ljn7WaKEaTaz6JfAje8YP6E4Kk27sJ0QyEcMKuC:t7jKEa5Ye8YPy72rEMuC |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 7568)
SUSPICIOUS
Checks for Java to be installed
- javaw.exe (PID: 7780)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 7568)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 7568)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 7568)
INFO
Manual execution by a user
- cmd.exe (PID: 7700)
- notepad.exe (PID: 7880)
- notepad.exe (PID: 7920)
- notepad.exe (PID: 7840)
- notepad.exe (PID: 7960)
- notepad.exe (PID: 8016)
- notepad.exe (PID: 8056)
- notepad.exe (PID: 8096)
- notepad.exe (PID: 8136)
- notepad.exe (PID: 8176)
Reads security settings of Internet Explorer
- notepad.exe (PID: 7840)
- notepad.exe (PID: 7880)
- notepad.exe (PID: 7960)
- notepad.exe (PID: 7920)
- notepad.exe (PID: 8016)
- notepad.exe (PID: 8056)
- notepad.exe (PID: 8096)
- notepad.exe (PID: 8136)
- notepad.exe (PID: 8176)
Checks supported languages
- javaw.exe (PID: 7780)
- MpCmdRun.exe (PID: 5392)
Reads the computer name
- javaw.exe (PID: 7780)
- MpCmdRun.exe (PID: 5392)
Checks proxy server information
- slui.exe (PID: 3100)
Create files in a temporary directory
- MpCmdRun.exe (PID: 5392)
Reads the software policy settings
- slui.exe (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2021:11:07 00:15:22 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | Lunar-Client-Lite-Launcher-1.6.4/ |
Total processes
141
Monitored processes
18
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1228 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Rar$Scan30556.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3100 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5392 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6744 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7568 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Lunar-Client-Lite-Launcher-1.6.4.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 7700 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\wrapper.cmd" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7708 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7756 | xcopy C:\Users\admin\AppData\Roaming\.minecraft\assets "\assets" /E /H /C /I /Y /F | C:\Windows\System32\xcopy.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 4 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7780 | javaw.exe --add-modules jdk.naming.dns --add-exports jdk.naming.dns/com.sun.jndi.dns=java.naming -Djna.boot.library.path="C:\Users\admin\.lunarclient\offline\\natives" --add-opens java.base/java.io=ALL-UNNAMED -Djava.library.path="C:\Users\admin\.lunarclient\offline\\natives" -cp "C:\Users\admin\.lunarclient\offline\\lunar-assets-prod-1-optifine.jar";"C:\Users\admin\.lunarclient\offline\\lunar-assets-prod-2-optifine.jar";"C:\Users\admin\.lunarclient\offline\\lunar-assets-prod-3-optifine.jar";"C:\Users\admin\.lunarclient\offline\\lunar-libs.jar";"C:\Users\admin\.lunarclient\offline\\lunar-prod-optifine.jar";"C:\Users\admin\.lunarclient\offline\\OptiFine.jar";"C:\Users\admin\.lunarclient\offline\\vpatcher-prod.jar" com.moonsworth.lunar.patcher.LunarMain --version --accessToken 0 --assetIndex --userProperties {} --gameDir "" --texturesDir "" --width 854 --height 480 | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2989500\javaw.exe | — | cmd.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.2710.9 Modules
| |||||||||||||||
| 7840 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\arabicui.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 347
Read events
6 338
Write events
9
Delete events
0
Modification events
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Lunar-Client-Lite-Launcher-1.6.4.zip | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (7568) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
Executable files
0
Suspicious files
1
Text files
30
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\Edit.png | image | |
MD5:00BA06D0DBD0649EB8D6BA907446600A | SHA256:CE9B0CBA5991B7C5FD57B046047B2DA9CB68DA7DB0B8A16B1227E00497CD19FA | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Logo.ico | image | |
MD5:B446FA57BCE3087047AA6F650D6DA0DF | SHA256:C7DF3957A741ABE4F1A8FE80FA19701F8BE97BDD93AF33B0D81995C1B9679D9E | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Logo.png | image | |
MD5:27F5D4E7879F6DB08A4476BAD55A484A | SHA256:E10A899D903BC717C4E1CE455EF8FB3417AC13534140B9406A9EA30291FFBEA1 | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\LICENSE | text | |
MD5:1EBBD3E34237AF26DA5DC08A4E440464 | SHA256:3972DC9744F6499F0F9B2DBF76696F2AE7AD8AF9B23DDE66D6AF86C9DFB36986 | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\Edit_Clicked.png | image | |
MD5:31CE5A0E345FFE8B8EB8C81503520E89 | SHA256:A4401B798B6FB983A6F48646DA8535FB1E2B484E9859E29B9B9E72FAE79ABAB6 | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\Launch.png | image | |
MD5:0B277E3AC635DA190C021CCCFA99D5FE | SHA256:7BBF032E347E18E45093830E3D793D16EC985BDAAC0639D32493F75979DE45FB | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\Save_JVMArguments_Clicked.png | image | |
MD5:085653CBFF433E9D47AD8013C955FD05 | SHA256:5D90DE76116B336A64D56D8E625CD7258105B5D0B88D835EE0F7BA442808AF1B | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\Save_JVMArguments.png | image | |
MD5:2FE60928D93F76712006781AECDAC5E2 | SHA256:922C9D19A235C33E6E727D6A546742470E05E199FC86ED89889A21FF431921DA | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\Launch_Clicked.png | image | |
MD5:85697E294DF418EE6BC05FD7B9314807 | SHA256:F5279B2B1E5C6910813FD81C4A029CF226E401BE879AF30CC07738588E888778 | |||
| 7568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7568.18241\Lunar-Client-Lite-Launcher-1.6.4.zip\Lunar-Client-Lite-Launcher-1.6.4\Resources\lang\chineseui.txt | text | |
MD5:1346AAB53066BE667EDA4EB34648796A | SHA256:663226FDAC1EC5CC1F65C3972451F0BC989F62812BBC6ADE3F02872895BDD142 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
50
DNS requests
17
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.216.77.4:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
2564 | SIHClient.exe | GET | 200 | 23.216.77.7:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
2564 | SIHClient.exe | GET | 200 | 23.216.77.7:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
2564 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2564 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2564 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
2564 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
2564 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 23.216.77.4:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2104 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.31.129:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |