URL:

https://roblox.co

Full analysis: https://app.any.run/tasks/9f90b137-6b32-4893-ba35-418a58a3b402
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 29, 2025, 17:08:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fingerprinting
anti-evasion
discord
arch-doc
github
stealer
ims-api
generic
python
nodejs
evasion
Indicators:
MD5:

97E228EABEB4A12B6A1D240237793A07

SHA1:

6FACB09E4519E08CB2DF93ACD374B0F240F872E4

SHA256:

FF7A65E406DC4D990854D647B9FC4FDD64C063C95B7E9CB3EA503585AB7B9FAE

SSDEEP:

3:N8e0Zn:2PZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 3308)
      • LunnyClient.exe (PID: 4428)
      • LunnyClient.exe (PID: 7944)
      • LunnyClient.exe (PID: 7184)
      • LunnyClient.exe (PID: 7408)

    • Changes Windows Defender settings

      • cscript.exe (PID: 1164)
      • cscript.exe (PID: 5876)
      • cmd.exe (PID: 7384)

    • Adds path to the Windows Defender exclusion list

      • cscript.exe (PID: 1164)
      • cscript.exe (PID: 5876)

    • Changes settings for real-time protection

      • powershell.exe (PID: 1844)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2028)
      • net.exe (PID: 3500)

    • Steals credentials from Web Browsers

      • LunnyClient.exe (PID: 4428)

    • Create files in the Startup directory

      • cscript.exe (PID: 864)

    • Actions looks like stealing browser data

      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 5324)

    • Suspicious browser debugging (Possible cookie theft)

      • msedge.exe (PID: 5268)
      • msedge.exe (PID: 1960)
      • msedge.exe (PID: 896)

    • Actions looks like stealing of personal data

      • LunnyClient.exe (PID: 4428)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 4972)
      • python.exe (PID: 6048)

    • Process drops legitimate windows executable

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 6048)

    • Reads security settings of Internet Explorer

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)

    • Drops 7-zip archiver for unpacking

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)

    • There is functionality for taking screenshot (YARA)

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 7184)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 2964)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 3332)

    • Application launched itself

      • LunnyClient.exe (PID: 4428)
      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 5724)

    • Starts CMD.EXE for commands execution

      • LunnyClient.exe (PID: 4428)
      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 5724)
      • python.exe (PID: 6048)
      • python.exe (PID: 6764)
      • python.exe (PID: 4972)
      • python.exe (PID: 5324)

    • Starts POWERSHELL.EXE for commands execution

      • cscript.exe (PID: 1164)
      • cmd.exe (PID: 7384)
      • cscript.exe (PID: 5876)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 4084)
      • cmd.exe (PID: 7424)
      • LunnyClient.exe (PID: 4428)

    • Manipulates environment variables

      • powershell.exe (PID: 2160)
      • powershell.exe (PID: 6536)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 1164)
      • cscript.exe (PID: 5876)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • LunnyClient.exe (PID: 4428)

    • The process executes VB scripts

      • cmd.exe (PID: 6972)
      • cmd.exe (PID: 7480)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 3404)
      • cmd.exe (PID: 6312)

    • Connects to unusual port

      • LunnyClient.exe (PID: 4428)

    • Script adds exclusion path to Windows Defender

      • cscript.exe (PID: 1164)
      • cscript.exe (PID: 5876)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 2376)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 5656)
      • cmd.exe (PID: 5332)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 7948)
      • cmd.exe (PID: 1788)
      • cmd.exe (PID: 8092)
      • cmd.exe (PID: 8044)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6464)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6240)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7384)

    • Get information on the list of running processes

      • LunnyClient.exe (PID: 4428)

    • Hides command output

      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 464)
      • cmd.exe (PID: 5724)
      • cmd.exe (PID: 7916)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7648)

    • Kill processes via PowerShell

      • powershell.exe (PID: 4824)

    • Uses WMIC.EXE to obtain data on processes

      • cmd.exe (PID: 464)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 4824)
      • powershell.exe (PID: 2948)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 4084)
      • powershell.exe (PID: 7984)
      • powershell.exe (PID: 7560)
      • cmd.exe (PID: 7424)

    • The process drops C-runtime libraries

      • LunnyClient.exe (PID: 4428)

    • Process drops python dynamic module

      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 4972)
      • python.exe (PID: 6048)

    • Loads Python modules

      • python.exe (PID: 6764)
      • python.exe (PID: 6048)
      • python.exe (PID: 4972)
      • python.exe (PID: 5324)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 2312)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 7828)

    • Browser headless start

      • msedge.exe (PID: 5268)
      • msedge.exe (PID: 1960)
      • msedge.exe (PID: 896)
      • msedge.exe (PID: 4912)
      • msedge.exe (PID: 7792)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6272)

    • Potential Corporate Privacy Violation

      • LunnyClient.exe (PID: 4428)

    • Checks for external IP

      • LunnyClient.exe (PID: 4428)

  • INFO

    • Create files in a temporary directory

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 4428)
      • powershell.exe (PID: 2948)
      • python.exe (PID: 6048)
      • python.exe (PID: 4972)
      • python.exe (PID: 6764)
      • python.exe (PID: 5324)

    • Checks supported languages

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 7944)
      • LunnyClient.exe (PID: 7184)
      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 6764)
      • python.exe (PID: 6048)
      • python.exe (PID: 4972)
      • python.exe (PID: 5324)
      • LunnyClient.exe (PID: 7408)
      • identity_helper.exe (PID: 6212)

    • Creates files in the program directory

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)

    • Creates files or folders in the user directory

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 4428)
      • cscript.exe (PID: 864)
      • python.exe (PID: 6764)
      • python.exe (PID: 6048)
      • python.exe (PID: 4972)
      • LunnyClient.exe (PID: 7408)

    • Application launched itself

      • chrome.exe (PID: 4164)
      • msedge.exe (PID: 1960)
      • msedge.exe (PID: 896)
      • msedge.exe (PID: 5268)

    • The sample compiled with english language support

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 6048)

    • Reads the computer name

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)
      • LunnyClient.exe (PID: 4428)
      • LunnyClient.exe (PID: 7184)
      • LunnyClient.exe (PID: 7944)
      • python.exe (PID: 6764)
      • python.exe (PID: 6048)
      • python.exe (PID: 4972)
      • LunnyClient.exe (PID: 7408)
      • python.exe (PID: 5324)
      • identity_helper.exe (PID: 6212)

    • Reads Environment values

      • LunnyClient.exe (PID: 4428)
      • identity_helper.exe (PID: 6212)

    • Creates a software uninstall entry

      • _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe (PID: 7704)

    • Reads product name

      • LunnyClient.exe (PID: 4428)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 3332)
      • cscript.exe (PID: 1164)
      • cscript.exe (PID: 5876)
      • cscript.exe (PID: 8052)
      • WMIC.exe (PID: 7856)
      • cscript.exe (PID: 864)
      • cscript.exe (PID: 7056)
      • powershell.exe (PID: 2948)
      • WMIC.exe (PID: 6432)
      • WMIC.exe (PID: 7236)

    • Checks proxy server information

      • LunnyClient.exe (PID: 4428)
      • slui.exe (PID: 2348)
      • python.exe (PID: 6764)
      • python.exe (PID: 4972)
      • python.exe (PID: 6048)

    • Reads the machine GUID from the registry

      • LunnyClient.exe (PID: 4428)
      • python.exe (PID: 6764)
      • python.exe (PID: 4972)
      • python.exe (PID: 6048)
      • python.exe (PID: 5324)
      • LunnyClient.exe (PID: 7408)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2160)
      • powershell.exe (PID: 6536)
      • powershell.exe (PID: 1844)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2160)
      • powershell.exe (PID: 6536)
      • powershell.exe (PID: 1844)

    • Launching a file from the Startup directory

      • cscript.exe (PID: 864)

    • Node.js compiler has been detected

      • LunnyClient.exe (PID: 4428)
      • LunnyClient.exe (PID: 7184)
      • LunnyClient.exe (PID: 7944)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2948)

    • Process checks computer location settings

      • LunnyClient.exe (PID: 4428)

    • Python executable

      • python.exe (PID: 4972)
      • python.exe (PID: 6048)
      • python.exe (PID: 6764)
      • python.exe (PID: 5324)

    • Checks operating system version

      • python.exe (PID: 6764)
      • python.exe (PID: 4972)
      • python.exe (PID: 6048)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 4972)
      • python.exe (PID: 6764)
      • python.exe (PID: 6048)

    • Attempting to use instant messaging service

      • LunnyClient.exe (PID: 4428)

    • Reads CPU info

      • LunnyClient.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4428) LunnyClient.exe
Discord-Webhook-Tokens (1)1441144105433436250/b0JHzCnLbjJTWbj_3q36_eoabWc3oQ7jeJWB53YaocDHoQoMLfUtQvkztMnnxRHKMk37
Discord-Info-Links
1441144105433436250/b0JHzCnLbjJTWbj_3q36_eoabWc3oQ7jeJWB53YaocDHoQoMLfUtQvkztMnnxRHKMk37
Get Webhook Infohttps://discord.com/api/webhooks/1441144105433436250/b0JHzCnLbjJTWbj_3q36_eoabWc3oQ7jeJWB53YaocDHoQoMLfUtQvkztMnnxRHKMk37
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
336
Monitored processes
173
Malicious processes
12
Suspicious processes
18

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs slui.exe _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exe lunnyclient.exe no specs lunnyclient.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs lunnyclient.exe no specs lunnyclient.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs powershell.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs tasklist.exe no specs tasklist.exe no specs findstr.exe no specs cscript.exe findstr.exe no specs tasklist.exe no specs tasklist.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs python.exe python.exe conhost.exe no specs conhost.exe no specs python.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs lunnyclient.exe no specs python.exe conhost.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
464C:\WINDOWS\system32\cmd.exe /d /s /c "wmic process where "name like 'Discord%'" delete >nul 2>&1"C:\Windows\System32\cmd.exeLunnyClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
864cscript //nologo "C:\Users\admin\AppData\Local\Temp\sysZxammz256.vbs"C:\Windows\System32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
864C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
876C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Users\admin\AppData\Local\DiscordDevelopment\DiscordDevelopment.exe""C:\Windows\System32\cmd.exeLunnyClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --no-first-run --restore-last-session --remote-debugging-port=9522 --remote-allow-origins=* --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --disable-gpu --mute-audio --disable-extensions --disable-background-mode --no-sandbox --noerrdialogs --flag-switches-begin --disable-quic --flag-switches-end --do-not-de-elevate about:blankC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
1
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
988findstr /I "Development"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1164cscript //nologo "C:\Users\admin\AppData\Local\Temp\temp_1764436224809.vbs" /elevate:trueC:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
45 565
Read events
45 548
Write events
17
Delete events
0

Modification events

(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7704) _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\f8651b42-ff52-5d0f-867b-e96ab05270a6
Operation:writeName:InstallLocation
Value:
C:\Program Files\LunnyClient
(PID) Process:(7704) _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\f8651b42-ff52-5d0f-867b-e96ab05270a6
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(7704) _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\f8651b42-ff52-5d0f-867b-e96ab05270a6
Operation:writeName:ShortcutName
Value:
LunnyClient
(PID) Process:(7704) _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\f8651b42-ff52-5d0f-867b-e96ab05270a6
Operation:writeName:DisplayName
Value:
LunnyClient 1.0.0
(PID) Process:(7704) _2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\f8651b42-ff52-5d0f-867b-e96ab05270a6
Operation:writeName:UninstallString
Value:
"C:\Program Files\LunnyClient\Uninstall LunnyClient.exe" /allusers
Executable files
181
Suspicious files
4 244
Text files
2 545
Unknown types
3

Dropped files

PID
Process
Filename
Type
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF161ee7.TMP
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF161f06.TMP
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF161f06.TMP
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF161f06.TMP
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF161f06.TMP
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF161f06.TMP
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4164chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
104
DNS requests
88
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7600
SIHClient.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
7600
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
US
binary
419 b
whitelisted
7600
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
2500
chrome.exe
GET
200
142.250.185.206:80
http://clients2.google.com/time/1/current?cup2key=8:WEzlDkKPL3Dg1mT-8g94eMCDFjTbjOQ0pJwMtC3P-20&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
106 b
whitelisted
1276
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
7600
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
US
binary
408 b
whitelisted
7600
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
4572
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
7600
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
401 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
3032
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5596
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5320
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2500
chrome.exe
142.250.185.206:80
clients2.google.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2500
chrome.exe
142.250.74.202:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
2500
chrome.exe
66.102.1.84:443
accounts.google.com
GOOGLE
US
whitelisted
103.224.182.241:443
roblox.co
TRELLIAN-AS-AP Trellian Pty. Limited
AU
unknown
2500
chrome.exe
103.224.182.241:443
roblox.co
TRELLIAN-AS-AP Trellian Pty. Limited
AU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
clients2.google.com
  • 142.250.185.206
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.74.202
  • 142.250.185.106
  • 142.250.185.202
  • 142.250.185.234
  • 142.250.181.234
  • 216.58.206.74
  • 142.250.185.138
  • 142.251.140.170
  • 216.58.206.42
  • 172.217.23.106
  • 142.250.184.234
  • 142.250.184.202
  • 142.250.185.74
  • 142.250.185.170
  • 142.250.186.42
  • 172.217.18.10
whitelisted
roblox.co
  • 103.224.182.241
unknown
accounts.google.com
  • 66.102.1.84
whitelisted
paqofy.com
  • 103.224.182.220
unknown
click-v4.explodnmainclck.com
  • 198.134.116.17
unknown
primenetworkchain.com
  • 168.119.149.123
unknown
alishopmart.com
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

PID
Process
Class
Message
Attempted Information Leak
SUSPICIOUS [ANY.RUN] FingerprintJS Usage Observed in HTTP response
Attempted Information Leak
SUSPICIOUS [ANY.RUN] FingerprintJS Usage Observed in HTTP response
2500
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2500
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2500
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2500
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2276
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
2276
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4428
LunnyClient.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
Process
Message
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://roblox.co