File name:	prestige-1.21.jar
Full analysis:	https://app.any.run/tasks/4065dbfc-e70c-417c-896b-50ac7f36b7c2
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 20, 2026, 07:47:40
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	etherhiding stealer weedhack evasion auto-reg auto-sch pua adware auto websocket loader netreactor purehvnc
Indicators:
MIME:	application/java-archive
File info:	Java archive data (JAR)
MD5:	D9A4AB8CD89789C6A966654DCA46D5FC
SHA1:	514DF5A496E709421F22099426F427CA22FE18A5
SHA256:	A030CF2D0D67065E2126B879EEE0AE0A05B98D67DD1528DA04C2C9167FBC2FAB
SSDEEP:	6144:5xBfmyH19xvufnXZW1i06NNEE+s0WRd6YfhYe6MwEYH7XQsuI3l23Ktfc7yVV:bvH9So1i06NNEUHjhYcYzT3rrVV

ZipRequiredVersion:	20
ZipBitFlag:	0x0808
ZipCompression:	Deflated
ZipModifyDate:	2026:04:30 22:36:02
ZipCRC:	0xb4d31181
ZipCompressedSize:	228
ZipUncompressedSize:	290
ZipFileName:	ps76/rxl/ζεθυψσο.class

PID	Process	Filename		Type
2876	javaw.exe	C:\Users\admin\AppData\Local\Temp\jna-1779263277032\jnidispatch.dll		executable
		MD5:2D2475F1F026DD54E9F3E787AE4F81DA	SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023
2876	javaw.exe	C:\Users\admin\AppData\Local\Temp\lib7040214032857107556.tmp		executable
		MD5:3FE0E561EE3DE87C8A786DCB2B0C3D79	SHA256:B3E8C2DC252BF68E47EC2AB052592D159468F11CE9851B3DE9951D17AA24104A
2876	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
2876	javaw.exe	C:\Users\admin\AppData\Local\Temp\elv.vbs		text
		MD5:B31039B4157F1A447B0150BE6CBEC370	SHA256:322924421F8F1054199E8EA511E84442C38ABF1934B6499FF8DDC4F74C19F64E
2876	javaw.exe	C:\Users\admin\AppData\Local\Temp\elevator.jar		compressed
		MD5:92D04D6BD8A0235843240BBA30D2F091	SHA256:566AD1A80220026D05099562645CE968FF0E7C36CDE22634332605BB34CC3EFF
2876	javaw.exe	C:\Users\admin\AppData\Local\Temp\jsadcmzpzn.acdm		text
		MD5:A18FB0BBE3E67074CA6D0134C0B7D5F7	SHA256:FDCEAFE4DCF9CF6D23B2033824275C08EC73D6B01ADC644416E43ECCA94C89C9
7856	javaw.exe	C:\Users\admin\AppData\Local\Temp\lib12493507403996226419.tmp		executable
		MD5:F8C312605C1C695B45C459953AE01B8E	SHA256:499CF4818267FE2384C4C9DFC72BB65A2562560CFE2237CD2EF49471141DE8DA
7856	javaw.exe	C:\Users\admin\AppData\Local\Temp\jna-1779263285331\jnidispatch.dll		executable
		MD5:2D2475F1F026DD54E9F3E787AE4F81DA	SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023
7856	javaw.exe	C:\Users\admin\AppData\Local\Temp\WinDefConfig.cmd		text
		MD5:B47079E54B7D1B2D8C4245991C933147	SHA256:95BA820E7D0405B2E496C6F1AF93414F425179A6E44746C7868D8CEDA6E3087A
7856	javaw.exe	C:\Users\admin\AppData\Roaming\debug.log		text
		MD5:1F16F04C45692E0908AF8A6F6E551AFB	SHA256:9EB3FF68144B304F48C0FFEA5001678961492EE5988AB94DCC3A06EF4D78470F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	48.209.138.189:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
6260	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
2876	javaw.exe	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=eth.llamarpc.com&type=A	AU	—	264 b	—
7588	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
2876	javaw.exe	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=eth.api.onfinality.io&type=A	AU	text	288 b	unknown
2876	javaw.exe	POST	200	142.215.53.55:443	https://eth.api.onfinality.io/public	CA	text	934 b	malicious
2876	javaw.exe	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=fucktermedfir.st&type=A	AU	text	198 b	unknown
6060	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
6260	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=eth.llamarpc.com&type=A	AU	text	266 b	unknown

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.bing.com	92.123.104.17 92.123.104.21 92.123.104.19 92.123.104.16 92.123.104.18 92.123.104.13 92.123.104.22 92.123.104.14 92.123.104.15	whitelisted
google.com	142.251.13.113 142.251.13.139 142.251.13.102 142.251.13.101 142.251.13.100 142.251.13.138	whitelisted
cloudflare-dns.com	104.16.248.249 104.16.249.249	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.72	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
settings-win.data.microsoft.com	48.209.138.189	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
2876	javaw.exe	Misc activity	ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
2876	javaw.exe	A Network Trojan was detected	STEALER WeedHack TLS activity observed
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
6260	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	Misc activity	INFO [ANY.RUN] DDoS-Guard Hosted Web Content observed
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

General Info

prestige-1.21.jar

D9A4AB8CD89789C6A966654DCA46D5FC

514DF5A496E709421F22099426F427CA22FE18A5

A030CF2D0D67065E2126B879EEE0AE0A05B98D67DD1528DA04C2C9167FBC2FAB

6144:5xBfmyH19xvufnXZW1i06NNEE+s0WRd6YfhYe6MwEYH7XQsuI3l23Ktfc7yVV:bvH9So1i06NNEUHjhYcYzT3rrVV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Stealers network behavior

WEEDHACK has been detected (SURICATA)

Known privilege escalation attack

Adds process to the Windows Defender exclusion list

Run PowerShell with an invisible window

Changes Windows Defender settings

Changes powershell execution policy (Bypass)

Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes the autorun value in the registry

WEEDHACK has been detected

Uses Task Scheduler to autorun other applications

WEEDHACK has been found (auto)

Adds path to the Windows Defender exclusion list

ETHERHIDING has been detected (SURICATA)

PUREHVNC has been detected (YARA)

Uses Task Scheduler to run other applications

SUSPICIOUS

Application launched itself

There is functionality for VM detection VMWare (YARA)

There is functionality for VM detection VirtualBox (YARA)

Executable content was dropped or overwritten

There is functionality for VM detection antiVM strings (YARA)

Used cmstp for execute code hidden within an inf file

The process executes VB scripts

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

Executing commands from ".cmd" file

Script adds exclusion process to Windows Defender

Starts POWERSHELL.EXE for commands execution

Adds exclusion path to Windows Defender (POWERSHELL)

Suspicious use of NETSH.EXE

Bypass execution policy to execute commands

The process bypasses the loading of PowerShell profile settings

Get Video Controller Information (POWERSHELL)

Checks RAM size (probably for evasion)

Possible stealing from browsers

Possible stealing of messenger data

Loads DLL from Mozilla Firefox

Uses NETSH.EXE to obtain data on the network

Possible stealing from crypto wallets

Deletes scheduled task without confirmation

Creates scheduled task with highest privileges

Creates scheduled task with ONLOGON parameter

The executable file from the user directory is run by the CMD process

Reads the date of Windows installation

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Starts process via Powershell

Access to an unwanted program domain was detected

Uses NETSH.EXE to add a firewall rule or allowed programs

Uses TASKKILL.EXE to kill process

Multiple wallet extension IDs have been found

INFO

Create files in a temporary directory

Reads Environment values

Reads CPU info

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

Disables trace logs

Checks transactions between databases Windows and Oracle

Process checks computer location settings

Checks if a key exists in the options dictionary (POWERSHELL)

Launching a file from a Registry key

Manual execution by a user