File name:	LarpV7-1.0.0.jar
Full analysis:	https://app.any.run/tasks/c4de64f0-6182-48b9-a0f0-d2d908f5c657
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 07, 2026, 18:12:01
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	etherhiding stealer weedhack evasion anti-evasion auto-sch auto-reg auto antivm pua adware websocket rustystealer loader netreactor purehvnc golang
Indicators:
MIME:	application/java-archive
File info:	Java archive data (JAR)
MD5:	8C7436FAD874F0EB49197C515B683529
SHA1:	179EDFD20B4A27D9DA546C8A8C677398501650B6
SHA256:	947BBFFBDEC5F5E69B059A99D330E63FF2832E36990B2F9C18ED90D010F3EC6D
SSDEEP:	6144:ZYS1+AqAzzmWJ+CRa6FnoTiGpFZm3D0jVn5GGc1CCvSR4Scjv94K60qeuxKQDDwJ:XNzV+CRcb5N47rPUP72184dK91XG

ZipRequiredVersion:	20
ZipBitFlag:	0x0808
ZipCompression:	Deflated
ZipModifyDate:	2026:05:07 18:59:48
ZipCRC:	0x5c30d615
ZipCompressedSize:	270
ZipUncompressedSize:	355
ZipFileName:	pji7f/y5rvke/hlWqrue.class


(PID) Process:	(7604) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7336) cmstp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:	write	Name:	DesktopShortcut
Value: 0
(PID) Process:	(7964) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:	write	Name:	ProfileInstallPath
Value: C:\ProgramData\Microsoft\Network\Connections\Cm

PID	Process	Filename		Type
7664	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
7664	javaw.exe	C:\Users\admin\AppData\Local\Temp\lib2223366939066382848.tmp		executable
		MD5:3FE0E561EE3DE87C8A786DCB2B0C3D79	SHA256:B3E8C2DC252BF68E47EC2AB052592D159468F11CE9851B3DE9951D17AA24104A
7508	javaw.exe	C:\Users\admin\AppData\Local\Temp\jna-1778177543596\jnidispatch.dll		executable
		MD5:2D2475F1F026DD54E9F3E787AE4F81DA	SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023
7664	javaw.exe	C:\Users\admin\AppData\Local\Temp\elpifiuptq.acdm		text
		MD5:A18FB0BBE3E67074CA6D0134C0B7D5F7	SHA256:FDCEAFE4DCF9CF6D23B2033824275C08EC73D6B01ADC644416E43ECCA94C89C9
7508	javaw.exe	C:\Users\admin\AppData\Roaming\debug.log		text
		MD5:CFFAE552E59C7CAEC6F66760F260E80D	SHA256:22E258C0F703B1FB9C24956EF26CD4F87444437B91B6D6317AB8117D307910A5
7664	javaw.exe	C:\Users\admin\AppData\Local\Temp\elevator.jar		compressed
		MD5:E2BD2DEEBA2A33B13B8F9D097AC81681	SHA256:B27F30422A4FD0614C4954335DDC9E16FB267D601F9625E85EC652062D86CA81
7508	javaw.exe	C:\Users\admin\AppData\Local\Temp\lib752298271915086371.tmp		executable
		MD5:6F06E8C7B9DC15B246E67529A9F39323	SHA256:6A6E7BC867CB9B34F61D34251BEE6243A0920B0EC6BC3DEBBDE58C4160F87ECD
7664	javaw.exe	C:\Users\admin\AppData\Local\Temp\elv.vbs		text
		MD5:AA4A15508E79366E1CCF07923BB95946	SHA256:14BC8D1165BB0E1BC9E2185AD0C38E1D8C08DC4DE7D53E47D01ED25438EAC97A
7688	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zsypafx4.fpw.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7508	javaw.exe	C:\Users\admin\AppData\Local\Temp\WinDefConfig.cmd		text
		MD5:C925DCFC4CDBDBED3465824646A660FB	SHA256:1B5CA4D2B5EB23041DA0F6EFFDC408D50768701D4140A21C9FBD244F9458D720

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
7984	svchost.exe	GET	200	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	US	text	3.41 Kb	whitelisted
7984	svchost.exe	GET	200	2.21.20.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
7984	svchost.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	95.100.102.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
7664	javaw.exe	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=eth.llamarpc.com&type=A	AU	text	264 b	unknown
7664	javaw.exe	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=eth.api.onfinality.io&type=A	AU	text	288 b	unknown
7664	javaw.exe	POST	200	142.215.53.55:443	https://eth.api.onfinality.io/public	CA	text	934 b	malicious
—	—	POST	400	20.190.159.128:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
5316	svchost.exe	POST	400	20.190.159.71:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7984	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8028	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7984	svchost.exe	2.21.20.137:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7984	svchost.exe	95.100.102.101:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	95.100.102.101:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
7664	javaw.exe	104.16.249.249:443	cloudflare-dns.com	CLOUDFLARENET	US	whitelisted
5276	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
google.com	142.251.14.113 142.251.14.100 142.251.14.101 142.251.14.139 142.251.14.138 142.251.14.102	whitelisted
crl.microsoft.com	2.21.20.137 2.21.20.133 2.16.164.72 2.16.164.67 2.16.164.51 2.16.164.40 2.16.164.99 2.16.164.10 2.16.164.32 2.16.164.33 2.16.164.58	whitelisted
www.microsoft.com	95.100.102.101 23.52.181.212 88.221.169.152	whitelisted
cloudflare-dns.com	104.16.249.249 104.16.248.249	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.249	whitelisted
login.live.com	20.190.159.71 20.190.159.2 40.126.31.0 40.126.31.71 40.126.31.1 20.190.159.75 20.190.159.68 20.190.159.0	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
fe3cr.delivery.mp.microsoft.com	74.179.77.164	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
7984	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7664	javaw.exe	Misc activity	ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
7664	javaw.exe	A Network Trojan was detected	STEALER WeedHack TLS activity observed
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	Misc activity	INFO [ANY.RUN] DDoS-Guard Hosted Web Content observed
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
7508	javaw.exe	A Network Trojan was detected	STEALER WeedHack TLS activity observed
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

General Info

LarpV7-1.0.0.jar

8C7436FAD874F0EB49197C515B683529

179EDFD20B4A27D9DA546C8A8C677398501650B6

947BBFFBDEC5F5E69B059A99D330E63FF2832E36990B2F9C18ED90D010F3EC6D

6144:ZYS1+AqAzzmWJ+CRa6FnoTiGpFZm3D0jVn5GGc1CCvSR4Scjv94K60qeuxKQDDwJ:XNzV+CRcb5N47rPUP72184dK91XG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

WEEDHACK has been detected (SURICATA)

Stealers network behavior

Known privilege escalation attack

Run PowerShell with an invisible window

Changes Windows Defender settings

Adds process to the Windows Defender exclusion list

Changes powershell execution policy (Bypass)

Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Changes the autorun value in the registry

WEEDHACK has been detected

Adds path to the Windows Defender exclusion list

WEEDHACK has been found (auto)

RUSTYSTEALER has been found (auto)

Uses Task Scheduler to run other applications

PUREHVNC has been detected (YARA)

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Used cmstp for execute code hidden within an inf file

The process executes VB scripts

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

Starts POWERSHELL.EXE for commands execution

Script adds exclusion process to Windows Defender

Adds exclusion path to Windows Defender (POWERSHELL)

There is functionality for VM detection antiVM strings (YARA)

There is functionality for VM detection VirtualBox (YARA)

Get Video Controller Information (POWERSHELL)

There is functionality for VM detection VMWare (YARA)

The process bypasses the loading of PowerShell profile settings

Bypass execution policy to execute commands

Checks RAM size (probably for evasion)

Possible stealing of messenger data

Loads DLL from Mozilla Firefox

Possible stealing from browsers

Uses NETSH.EXE to obtain data on the network

Possible stealing from crypto wallets

Deletes scheduled task without confirmation

Creates scheduled task with ONLOGON parameter

Creates scheduled task with highest privileges

The executable file from the user directory is run by the CMD process

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Reads the date of Windows installation

Uses TASKKILL.EXE to kill process

Starts process via Powershell

Uses NETSH.EXE to add a firewall rule or allowed programs

Suspicious use of NETSH.EXE

Access to an unwanted program domain was detected

Multiple wallet extension IDs have been found

INFO

Create files in a temporary directory

Checks supported languages

Reads Environment values

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads CPU info

Reads the computer name

Disables trace logs

Checks transactions between databases Windows and Oracle

Process checks computer location settings

Checks if a key exists in the options dictionary (POWERSHELL)

Launching a file from a Registry key

Uses Task Scheduler to autorun other applications (AUTOMATE)

Manual execution by a user