| File name: | xeno-payload.jar |
| Full analysis: | https://app.any.run/tasks/da1edd25-81b6-4e23-9c36-5849eeed4960 |
| Verdict: | Malicious activity |
| Threats: | zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration. |
| Analysis date: | February 03, 2026, 20:10:26 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/java-archive |
| File info: | Java archive data (JAR) |
| MD5: | F89A56DBFF959639E4B4112CED98FCE2 |
| SHA1: | E95D7CD238693D35932956AEB0B629B126830206 |
| SHA256: | 1D5BEA0AE5FACF0159F35EA0BEAD65369CEB83942CC7073CB459FF06C6F82F0B |
| SSDEEP: | 49152:4SNekEjCeSmx+6otgGB53ed+iYPVdM32Tv29gMNyzyT9rlTGdsgfDArt5WribSKN:DimBVOGPedBZx7yzyT9pTGdsiABEd5Y7 |
MALICIOUS
Known privilege escalation attack
- dllhost.exe (PID: 4624)
Adds path to the Windows Defender exclusion list
- javaw.exe (PID: 8792)
Changes Windows Defender settings
- javaw.exe (PID: 8792)
Adds process to the Windows Defender exclusion list
- javaw.exe (PID: 8792)
Run PowerShell with an invisible window
- powershell.exe (PID: 8344)
- powershell.exe (PID: 6908)
[YARA] zgRAT detected by memory dumps
- MSBuild.exe (PID: 7936)
PUREMINER has been detected (YARA)
- MSBuild.exe (PID: 7936)
SUSPICIOUS
Used cmstp for execute code hidden within an inf file
- javaw.exe (PID: 6640)
Application launched itself
- javaw.exe (PID: 7360)
Script adds exclusion path to Windows Defender
- javaw.exe (PID: 8792)
Script adds exclusion process to Windows Defender
- javaw.exe (PID: 8792)
Starts CMD.EXE for commands execution
- javaw.exe (PID: 8792)
Starts application with an unusual extension
- cmd.exe (PID: 5828)
The executable file from the user directory is run by the CMD process
- worldview.db-wal (PID: 8964)
The process executes via Task Scheduler
- powershell.exe (PID: 8344)
- StandardName.exe (PID: 3664)
- powershell.exe (PID: 6908)
Starts POWERSHELL.EXE for commands execution
- javaw.exe (PID: 8792)
Escape characters obfuscation (POWERSHELL)
- powershell.exe (PID: 6908)
INFO
Application based on Java
- javaw.exe (PID: 6640)
- javaw.exe (PID: 7360)
- javaw.exe (PID: 8792)
Checks supported languages
- javaw.exe (PID: 6640)
- javaw.exe (PID: 7360)
- javaw.exe (PID: 8792)
- worldview.db-wal (PID: 8964)
- MSBuild.exe (PID: 7936)
- StandardName.exe (PID: 3664)
Reads the machine GUID from the registry
- javaw.exe (PID: 6640)
- javaw.exe (PID: 7360)
- javaw.exe (PID: 8792)
- worldview.db-wal (PID: 8964)
- StandardName.exe (PID: 3664)
- MSBuild.exe (PID: 7936)
Disables trace logs
- cmstp.exe (PID: 404)
Create files in a temporary directory
- javaw.exe (PID: 6640)
- javaw.exe (PID: 7360)
- javaw.exe (PID: 8792)
Checks transactions between databases Windows and Oracle
- cmstp.exe (PID: 404)
Creates files or folders in the user directory
- javaw.exe (PID: 6640)
- javaw.exe (PID: 8792)
- worldview.db-wal (PID: 8964)
Creates files in the program directory
- javaw.exe (PID: 6640)
- dllhost.exe (PID: 4624)
Reads the computer name
- javaw.exe (PID: 6640)
- javaw.exe (PID: 7360)
- javaw.exe (PID: 8792)
- worldview.db-wal (PID: 8964)
- StandardName.exe (PID: 3664)
- MSBuild.exe (PID: 7936)
Drops script file
- powershell.exe (PID: 7844)
- powershell.exe (PID: 8080)
- powershell.exe (PID: 8344)
- powershell.exe (PID: 6908)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 8080)
- powershell.exe (PID: 7844)
- powershell.exe (PID: 8344)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 8080)
- powershell.exe (PID: 7844)
- powershell.exe (PID: 8344)
- powershell.exe (PID: 6908)
Reads Environment values
- StandardName.exe (PID: 3664)
Checks proxy server information
- slui.exe (PID: 7704)
.NET Reactor protector has been detected
- MSBuild.exe (PID: 7936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .jar | | | Java Archive (78.3) |
|---|---|---|
| .zip | | | ZIP compressed archive (21.6) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0808 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2026:02:01 16:35:10 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | 2 |
| ZipUncompressedSize: | - |
| ZipFileName: | META-INF/ |
Total processes
165
Monitored processes
21
Malicious processes
5
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 404 | cmstp.exe /au "C:\Users\admin\AppData\Local\Temp\\lmjqejsikm.db-wal" | C:\Windows\System32\cmstp.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.2.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3664 | "C:\Users\admin\AppData\Roaming\Name\StandardName.exe" | C:\Users\admin\AppData\Roaming\Name\StandardName.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 4624 | C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\System32\dllhost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5768 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5828 | cmd /c "C:\Users\admin\AppData\Roaming\worldview.db-wal" | C:\Windows\System32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6348 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | icacls.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6540 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6640 | "C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar C:\Users\admin\Desktop\xeno-payload.jar | C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe | — | explorer.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.2710.9 Modules
| |||||||||||||||
| 6852 | C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M | C:\Windows\System32\icacls.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6908 | "powershell.exe" -WindowStyle Hidden -NoProfile -Command "System.Collections.Generic.List`1[System.String]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
35 522
Read events
35 511
Write events
11
Delete events
0
Modification events
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections |
| Operation: | write | Name: | DesktopShortcut |
Value: 0 | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (404) cmstp.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (4624) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe |
| Operation: | write | Name: | ProfileInstallPath |
Value: C:\ProgramData\Microsoft\Network\Connections\Cm | |||
| (PID) Process: | (4624) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion |
| Operation: | write | Name: | SM_AccessoriesName |
Value: Accessories | |||
Executable files
6
Suspicious files
2
Text files
17
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6640 | javaw.exe | C:\Users\admin\AppData\Local\Temp\jna-92668751\jna2867441104497367877.dll | executable | |
MD5:34D12B1E2AF72D9BB267BBC8C0D53E4A | SHA256:13B2CAC3F50368AB97FA2E3B0D0D2CB612F68449D5BBD6DE187FC85EE4469D03 | |||
| 6640 | javaw.exe | C:\Users\admin\AppData\Local\Temp\lmjqejsikm.db-wal | text | |
MD5:DF64BE9F4D1B0BB078AC7D9ECA5FDDAF | SHA256:BFE217E539455A8E5C318130C836792FE7837C1240968CFFD0DE53E266B7E5CD | |||
| 7844 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wvelnkzz.0ce.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7360 | javaw.exe | C:\Users\admin\AppData\Local\Temp\jna-92668751\jna6566996226467998346.dll | executable | |
MD5:34D12B1E2AF72D9BB267BBC8C0D53E4A | SHA256:13B2CAC3F50368AB97FA2E3B0D0D2CB612F68449D5BBD6DE187FC85EE4469D03 | |||
| 8792 | javaw.exe | C:\Users\admin\AppData\Local\Temp\jna-92668751\jna4421754873941486206.dll | executable | |
MD5:34D12B1E2AF72D9BB267BBC8C0D53E4A | SHA256:13B2CAC3F50368AB97FA2E3B0D0D2CB612F68449D5BBD6DE187FC85EE4469D03 | |||
| 8080 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x0abf5qh.jw3.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8080 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vwpjntri.gkp.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7844 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xdurqcpl.ccy.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7844 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c4q30iky.hyu.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7844 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wrno50jm.wz3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
50
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3344 | RUXIMICS.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30 | unknown | — | — | whitelisted |
1512 | SIHClient.exe | GET | 304 | 135.233.95.144:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 23.53.41.90:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.32.136:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | unknown |
1512 | SIHClient.exe | GET | 200 | 135.233.95.135:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | whitelisted |
5524 | svchost.exe | GET | 200 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4 | unknown | text | 3.41 Kb | whitelisted |
1512 | SIHClient.exe | GET | 200 | 135.233.95.144:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | whitelisted |
1512 | SIHClient.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | unknown | — | — | whitelisted |
1512 | SIHClient.exe | GET | 304 | 135.233.95.144:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
6768 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 2.16.204.158:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
5524 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3344 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
5524 | svchost.exe | 23.53.41.90:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
3344 | RUXIMICS.exe | 23.53.41.90:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 23.53.41.90:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |