File name:	FastClient-LATEST.jar
Full analysis:	https://app.any.run/tasks/1b88b7b5-c758-4112-b362-2dfe3e0f5b9c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 20, 2026, 03:37:45
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer weedhack etherhiding evasion auto-sch auto-reg auto loader
Indicators:
MIME:	application/java-archive
File info:	Java archive data (JAR)
MD5:	7069727CDC1164BAF33A5CDCE715E024
SHA1:	DFB50C9B331291407F60B97712D09A1A05646292
SHA256:	FF27463B3A1EA4787C8DDDE4511B6133DBDC77237C1EA7521BACB9A3C37709E5
SSDEEP:	12288:stDLjnRVs+zWY4rA1/06H3KV8LT+ISVvNz+XtlEm5uC:stDLjnRVs+z6rA1/0W3c8LT+ISVv1+X5

ZipRequiredVersion:	20
ZipBitFlag:	0x0808
ZipCompression:	Deflated
ZipModifyDate:	2026:05:16 20:01:38
ZipCRC:	0x0a5801f7
ZipCompressedSize:	2460
ZipUncompressedSize:	6176
ZipFileName:	obf/IlII.class


(PID) Process:	(7408) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:	write	Name:	ProfileInstallPath
Value: C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:	write	Name:	SM_AccessoriesName
Value: Accessories
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:	write	Name:	PF_AccessoriesName
Value: Accessories
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DllHost_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DllHost_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DllHost_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DllHost_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DllHost_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(5748) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DllHost_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576

PID	Process	Filename		Type
7484	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
7484	javaw.exe	C:\Users\admin\AppData\Local\Temp\fkrprglvdv.acdm		text
		MD5:A18FB0BBE3E67074CA6D0134C0B7D5F7	SHA256:FDCEAFE4DCF9CF6D23B2033824275C08EC73D6B01ADC644416E43ECCA94C89C9
2988	javaw.exe	C:\Users\admin\AppData\Local\Temp\lib7824604376133704993.tmp		executable
		MD5:F8C312605C1C695B45C459953AE01B8E	SHA256:499CF4818267FE2384C4C9DFC72BB65A2562560CFE2237CD2EF49471141DE8DA
2988	javaw.exe	C:\Users\admin\AppData\Local\Temp\WinDefConfig.cmd		text
		MD5:B47079E54B7D1B2D8C4245991C933147	SHA256:95BA820E7D0405B2E496C6F1AF93414F425179A6E44746C7868D8CEDA6E3087A
7704	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tfjtn3n3.cba.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2988	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\SecurityInfo.json		text
		MD5:7DD210E1E099901530E50446047DF61B	SHA256:0BB44100B8502F6AADEADAE6BB094F762A14515259ABB515ACC25C212F2C10E2
2988	javaw.exe	C:\Users\admin\AppData\Local\Temp\sqlite-jdbc-3.23.1.jar		compressed
		MD5:76C9C25DE0F8603E5706ADAB1CC18009	SHA256:D570AF636A2BE99E20BE9510FB615AA819B2059857B2DD625AECBFF774766331
5200	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fy2mgk2f.2lw.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2988	javaw.exe	C:\Users\admin\AppData\Local\Temp\jna-natives-315016130197337575\jnidispatch.dll		executable
		MD5:719D6BA1946C25AA61CE82F90D77FFD5	SHA256:69C45175ECFD25AF023F96AC0BB2C45E6A95E3BA8A5A50EE7969CCAB14825C44
7484	javaw.exe	C:\Users\admin\AppData\Local\Temp\jna-1779248301093\jnidispatch.dll		executable
		MD5:2D2475F1F026DD54E9F3E787AE4F81DA	SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	48.209.133.15:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	GET	200	1.0.0.1:443	https://cloudflare-dns.com/dns-query?name=eth.llamarpc.com&type=A	AU	text	266 b	unknown
3352	svchost.exe	GET	200	48.209.133.15:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	US	text	3.41 Kb	whitelisted
5764	SIHClient.exe	GET	304	135.232.92.137:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
3352	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
7408	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
5316	svchost.exe	POST	200	40.126.31.131:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
7408	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
5316	svchost.exe	POST	200	40.126.32.134:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5276	MoUsoCoreWorker.exe	48.209.133.15:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5412	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3352	svchost.exe	48.209.133.15:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	23.11.206.98:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7484	javaw.exe	104.16.249.249:443	cloudflare-dns.com	CLOUDFLARENET	US	whitelisted
3352	svchost.exe	184.24.77.37:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
3352	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.bing.com	23.11.206.98 23.3.89.122 95.100.158.114	whitelisted
google.com	142.251.20.100 142.251.20.113 142.251.20.138 142.251.20.102 142.251.20.101 142.251.20.139	whitelisted
cloudflare-dns.com	104.16.249.249 104.16.248.249	whitelisted
crl.microsoft.com	184.24.77.37 184.24.77.12 184.24.77.35	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
login.live.com	40.126.32.134 40.126.32.140 20.190.160.128 20.190.160.66 20.190.160.130 20.190.160.65 20.190.160.64 20.190.160.3	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
settings-win.data.microsoft.com	48.209.133.15	whitelisted
slscr.update.microsoft.com	135.232.92.137	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
7484	javaw.exe	Misc activity	ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
7484	javaw.exe	A Network Trojan was detected	STEALER WeedHack TLS activity observed
3352	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
—	—	Misc activity	INFO [ANY.RUN] DDoS-Guard Hosted Web Content observed
7484	javaw.exe	A Network Trojan was detected	STEALER WeedHack TLS activity observed
—	—	A Network Trojan was detected	ET MALWARE EtherHiding Exfil M2
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

General Info

FastClient-LATEST.jar

7069727CDC1164BAF33A5CDCE715E024

DFB50C9B331291407F60B97712D09A1A05646292

FF27463B3A1EA4787C8DDDE4511B6133DBDC77237C1EA7521BACB9A3C37709E5

12288:stDLjnRVs+zWY4rA1/06H3KV8LT+ISVvNz+XtlEm5uC:stDLjnRVs+z6rA1/0W3c8LT+ISVv1+X5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

WEEDHACK has been detected (SURICATA)

Stealers network behavior

Known privilege escalation attack

Adds process to the Windows Defender exclusion list

Changes Windows Defender settings

Run PowerShell with an invisible window

Changes powershell execution policy (Bypass)

Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes the autorun value in the registry

WEEDHACK has been detected

Uses Task Scheduler to autorun other applications

Adds path to the Windows Defender exclusion list

WEEDHACK has been found (auto)

ETHERHIDING has been detected (SURICATA)

SUSPICIOUS

Application launched itself

There is functionality for VM detection VirtualBox (YARA)

There is functionality for VM detection VMWare (YARA)

Executable content was dropped or overwritten

There is functionality for VM detection antiVM strings (YARA)

Used cmstp for execute code hidden within an inf file

Executing commands from ".cmd" file

Runs shell command (SCRIPT)

The process executes VB scripts

Script adds exclusion process to Windows Defender

Starts CMD.EXE for commands execution

Adds exclusion path to Windows Defender (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

Suspicious use of NETSH.EXE

The process bypasses the loading of PowerShell profile settings

Bypass execution policy to execute commands

Get Video Controller Information (POWERSHELL)

Checks RAM size (probably for evasion)

Possible stealing from browsers

Possible stealing of messenger data

Loads DLL from Mozilla Firefox

Uses NETSH.EXE to obtain data on the network

Possible stealing from crypto wallets

Deletes scheduled task without confirmation

Creates scheduled task with ONLOGON parameter

Creates scheduled task with highest privileges

The executable file from the user directory is run by the CMD process

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Reads the date of Windows installation

Starts process via Powershell

INFO

Create files in a temporary directory

Reads Environment values

Checks supported languages

Reads CPU info

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

Disables trace logs

Checks transactions between databases Windows and Oracle

Process checks computer location settings

Checks if a key exists in the options dictionary (POWERSHELL)

Launching a file from a Registry key

Manual execution by a user

Reads security settings of Internet Explorer

Script raised an exception (POWERSHELL)

The executable file from the user directory is run by the Powershell process

.NET Reactor protector has been detected

Malware configuration

Static information