File name:	meteor-client-1.21.11-80.jar
Full analysis:	https://app.any.run/tasks/fab56b39-3be6-4b09-854b-36851c1240b9
Verdict:	Malicious activity
Analysis date:	April 25, 2026, 22:49:31
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	etherhiding python antivm arch-doc arch-exec openssl tool
Indicators:
MIME:	application/java-archive
File info:	Java archive data (JAR)
MD5:	00B3A41B49B09D7C37F0A00961A3F5E9
SHA1:	2A41982B5CFD059D6A50E6DE383987BC70FCB6D5
SHA256:	9653F5A747F9568F92D553CF2D3D58E81A82685964E3BF2FA2EC538384E41AB0
SSDEEP:	98304:DlbADop7m2w36NpgWzCfWrmg0gPsRgAUMgITzQBQsS8MSCkHpG8/Uh1wLbRqHhaT:uUyiEmVPLI0by0

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2026:03:14 16:31:16
ZipCRC:	0x57d4855f
ZipCompressedSize:	5825
ZipUncompressedSize:	11982
ZipFileName:	com/libmod/LangProvider.class


(PID) Process:	(2120) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing

PID	Process	Filename		Type
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python.exe		executable
		MD5:FD6AFF3A270AE170C7657373316D37C0	SHA256:CA60CF785B2314A6D6599ECED15BDF094E6DB171BEC996B97A70B995942C3C37
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\vcruntime140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\vcruntime140_1.dll		executable
		MD5:68156F41AE9A04D89BB6625A5CD222D4	SHA256:82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python3.dll		executable
		MD5:2E2BB725B92A3D30B1E42CC43275BB7B	SHA256:D52BACA085F88B40F30C855E6C55791E5375C80F60F94057061E77E33F4CAD7A
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\python312.dll		executable
		MD5:B243D61F4248909BC721674D70A633DE	SHA256:93488FA7E631CC0A2BD808B9EEE8617280EE9B6FF499AB424A1A1CBF24D77DC7
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\pythonw.exe		executable
		MD5:EE1293BAD480D2F19FC9B852455E89C6	SHA256:D1AC257D433DEFC5516AE5B9BA837922D417164C0CB2FB1C57119FF1C7650524
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\_install.log		text
		MD5:97688B521F848C425F6717304D7193D2	SHA256:7A32290DD61C9A19EA6FEE3F538E63CB2A7579A251C887A763713E0D5C0E8CD3
2840	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\pyexpat.pyd		executable
		MD5:B34CA0FCD5E0E4F060FE211273AC2946	SHA256:B6670D91A76E9F00609752AB19AAE0B1EBE00D24D9D8D22068989BBB24D0AA44
2840	javaw.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\NtProfileIndex\winsound.pyd		executable
		MD5:974B5BD2CDF12789D2EA6F07F19FF964	SHA256:4289C991AE42673C43B4B455B6883E4D2583A145813856727FB4BD5BB3E9019E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
6260	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
2840	javaw.exe	POST	401	173.244.207.30:443	https://polygon-rpc.com/	US	text	101 b	unknown
2840	javaw.exe	POST	200	132.145.155.63:443	https://rpc-mainnet.matic.quiknode.pro/	US	text	231 b	unknown
2120	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
—	—	POST	400	20.190.160.4:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
—	—	POST	400	20.190.160.4:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
8084	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
5316	svchost.exe	POST	200	20.190.160.3:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
2840	javaw.exe	GET	200	151.101.0.175:443	https://bootstrap.pypa.io/get-pip.py	US	text	2.09 Mb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6260	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7352	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.251.22:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6260	svchost.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6260	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6260	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.bing.com	184.86.251.22 184.86.251.27	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
google.com	142.251.13.138 142.251.13.100 142.251.13.113 142.251.13.101 142.251.13.139 142.251.13.102	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
polygon-rpc.com	173.244.207.30	whitelisted
rpc-mainnet.matic.quiknode.pro	150.136.141.142	unknown
www.python.org	151.101.64.223 151.101.192.223 151.101.0.223 151.101.128.223	whitelisted
login.live.com	20.190.160.3 40.126.32.72 20.190.160.128 20.190.160.64 40.126.32.133 20.190.160.14 20.190.160.2 20.190.160.132	whitelisted

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232	svchost.exe	Misc activity	ET INFO Blockchain RPC Domain in DNS Lookup (polygon-rpc .com)
2840	javaw.exe	Misc activity	ET INFO Blockchain RPC Domain in TLS SNI (polygon-rpc .com)
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
2232	svchost.exe	Misc activity	ET INFO Observed DNS Query to Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro)
2840	javaw.exe	Misc activity	ET INFO Observed Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro in TLS SNI)
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	Misc activity	ET INFO JAVA - Zip/JAR File Downloaded Containing Executable Downloaded
—	—	Misc activity	ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)
—	—	Misc activity	ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

General Info

meteor-client-1.21.11-80.jar

00B3A41B49B09D7C37F0A00961A3F5E9

2A41982B5CFD059D6A50E6DE383987BC70FCB6D5

9653F5A747F9568F92D553CF2D3D58E81A82685964E3BF2FA2EC538384E41AB0

98304:DlbADop7m2w36NpgWzCfWrmg0gPsRgAUMgITzQBQsS8MSCkHpG8/Uh1wLbRqHhaT:uUyiEmVPLI0by0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops python dynamic module

Loads Python modules

There is functionality for VM detection VMWare (YARA)

There is functionality for VM detection antiVM strings (YARA)

There is functionality for VM detection VirtualBox (YARA)

OpenSSL has been detected (YARA)

Starts CMD.EXE for commands execution

INFO

Create files in a temporary directory

Reads Environment values

Checks supported languages

Creates files or folders in the user directory

Reads CPU info

Reads the computer name

Reads the machine GUID from the registry

Python executable

The sample compiled with english language support

Drops encrypted JS script (Microsoft Script Encoder)

Manual execution by a user

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings