File name:	FastClient-Setup.exe
Full analysis:	https://app.any.run/tasks/d0f38ac9-4d40-4d83-9a02-d71418d01dfb
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	March 31, 2026, 18:46:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	3105E35BBF84B3B79F8F3A879270A093
SHA1:	15D89E16BE28EF8CB886A86680718342B8D36A71
SHA256:	5B827765F5CEE63455ECA2C7E4309E20A1E6652199699A68245DCEE53F008B4C
SSDEEP:	196608:kjeYHP+0ntUxxLRSlbEYw0OmDpfz4KTHuH+lJQmSGcge4dbOO3mWM:I/P+0ezLRkoJkdz4uH6NgeYbG

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:08 23:05:20+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	139776
UninitializedDataSize:	2048
EntryPoint:	0x369f
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.6.0.0
ProductVersionNumber:	1.6.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	FastClient
FileVersion:	1.6.0
LegalCopyright:	-
ProductName:	FastClient
ProductVersion:	1.6.0


(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	path
Value: C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	CopilotUpdatePath
Value: C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\CopilotUpdate.exe
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	UninstallCmdLine
Value: "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:	write	Name:	pv
Value: 1.3.225.7
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:	write	Name:	name
Value: Microsoft Edge Update
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:	write	Name:	pv
Value: 1.3.225.7
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Microsoft Edge Update
Value: "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.225.7\MicrosoftEdgeUpdateCore.exe"
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	delete value	Name:	eulaaccepted
Value:
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	edgeupdate_task_name_c
Value: MicrosoftEdgeUpdateTaskUserS-1-5-21-1693682860-607145093-2874071422-1001Core{51BACF72-BAD5-41DD-8083-7A0653DBBCF6}
(PID) Process:	(2204) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	edgeupdate_task_name_ua
Value: MicrosoftEdgeUpdateTaskUserS-1-5-21-1693682860-607145093-2874071422-1001UA{32C79390-6F8F-4AC9-842A-4D94976FEF3A}

PID	Process	Filename		Type
2692	FastClient-Setup.exe	C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe		executable
		MD5:7A859AF9AF33FDAF638EED723391B880	SHA256:02C97E5E32A97D896163EC68A3EA3AB0339E57F274348B8689399638B649B2B9
2692	FastClient-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsp149F.tmp\NSISdl.dll		executable
		MD5:8EABBE36E8B52E69322780D0F541FD19	SHA256:DDF40229DD9D6B268902D8DEA88C8A04AACF1AF218DD29F6DCD35BABC54AC08D
2692	FastClient-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsp149F.tmp\nsDialogs.dll		executable
		MD5:8F0E7415F33843431DF308BB8E06AF81	SHA256:BB49F15FA83452370047A7801E39FC7F64E70C7545B8999BB85AA4749EAA048B
7668	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU3A07.tmp\CopilotUpdate.exe		executable
		MD5:716396FD17E02309319037806275134B	SHA256:631A1BA21144EB1698A1F920C5777B8BD79C57F7DB571D2CCB84CC48E1751AD5
7668	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU3A07.tmp\MicrosoftEdgeUpdateBroker.exe		executable
		MD5:D1FE77DB9696E9D6603108316B3182FC	SHA256:4E706B07D9DCC85DE769843BDFEDA5B8982657B151AA8CFD49B295E51041280E
7668	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU3A07.tmp\msedgeupdate.dll		executable
		MD5:C0C5EE3503D2C0E39A9DCC85C662781C	SHA256:F51E55956CEA63E78C59B0C3C708019588ADB3B3B0FE085A13EFBC282BC0FD3C
7668	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU3A07.tmp\MicrosoftEdgeComRegisterShellARM64.exe		executable
		MD5:54D7885B8BCC423915DB8965A0F5880E	SHA256:BF0DCC66D594804DF075E79D5030BFECF3913C06104C2F2F1942538491BBAA24
7668	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU3A07.tmp\psmachine.dll		executable
		MD5:D0D279773128DCDF13A889389D79626E	SHA256:0250589730D194EC1617E89790BDCDDEE0C4D2E653AA5DCB4839AD16E2BC5DF5
7668	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU3A07.tmp\MicrosoftEdgeUpdateOnDemand.exe		executable
		MD5:83CF034C56E82BF513ADB55C3B47653C	SHA256:55FD76B4F76152D966F5599519BBB76513AD905EA6CCC18D5C1716E7BE7481D0
2692	FastClient-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsp149F.tmp\modern-wizard.bmp		image
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4872	svchost.exe	GET	200	23.216.77.26:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4872	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
5316	svchost.exe	POST	200	40.126.32.136:443	https://login.live.com/RST2.srf	US	binary	1.24 Kb	whitelisted
5316	svchost.exe	POST	200	40.126.31.69:443	https://login.live.com/RST2.srf	US	—	1.24 Kb	whitelisted
2532	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
5316	svchost.exe	POST	400	40.126.31.69:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	—	203 b	whitelisted
—	—	POST	400	40.126.32.136:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted
—	—	POST	400	40.126.32.136:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.241.205:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4872	svchost.exe	23.216.77.26:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
4872	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5208	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.bing.com	2.16.241.205 2.16.241.218 2.16.241.207	whitelisted
google.com	142.251.127.101 142.251.127.113 142.251.127.102 142.251.127.138 142.251.127.100 142.251.127.139	whitelisted
crl.microsoft.com	23.216.77.26 23.216.77.28 23.216.77.18 23.216.77.13 23.216.77.25 23.216.77.20 23.216.77.29 23.216.77.15 23.216.77.22 23.216.77.41 23.216.77.42 23.216.77.6 23.216.77.37 23.216.77.36 23.216.77.8 23.216.77.38	whitelisted
www.microsoft.com	23.52.181.212 88.221.169.152 23.59.18.102	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
login.live.com	40.126.31.69 20.190.159.131 40.126.31.131 20.190.159.73 40.126.31.1 20.190.159.128 20.190.159.2 20.190.159.64	whitelisted
go.microsoft.com	88.221.169.205	whitelisted
msedge.sf.dl.delivery.mp.microsoft.com	2.16.10.185 2.16.10.186	whitelisted

PID	Process	Class	Message
2692	FastClient-Setup.exe	Misc activity	ET INFO Packed Executable Download
1724	svchost.exe	Misc activity	ET INFO Packed Executable Download

General Info

FastClient-Setup.exe

3105E35BBF84B3B79F8F3A879270A093

15D89E16BE28EF8CB886A86680718342B8D36A71

5B827765F5CEE63455ECA2C7E4309E20A1E6652199699A68245DCEE53F008B4C

196608:kjeYHP+0ntUxxLRSlbEYw0OmDpfz4KTHuH+lJQmSGcge4dbOO3mWM:I/P+0ezLRkoJkdz4uH6NgeYbG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Silent install from TEMP directory

Starts a Microsoft application from unusual location

Searches for installed software

Starts itself from another location

Creates/Modifies COM task schedule object

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

There is functionality for taking screenshot (YARA)

Creates files or folders in the user directory

Launching a file from a Registry key

Reads Environment values

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Manual execution by a user

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings