Malware analysis 72349011.jar Malicious activity | ANY.RUN

Add for printing

File name:	72349011.jar
Full analysis:	https://app.any.run/tasks/57fcfc76-fdd6-4975-bf03-9e6daf598ae4
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Malware Trends Tracker >>>
Analysis date:	May 19, 2025, 08:58:01
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	java loader netsupport rmm-tool auto
Indicators:
MIME:	application/java-archive
File info:	Java archive data (JAR)
MD5:	B13F7CCBEDFB71B0211C14AFE0815B36
SHA1:	A292736146839D995E0038815B667B6387BDFE70
SHA256:	41FCBC99F4CDE5934AA31B2EEF9E90ABEA5082AA62493B644FE4ADDA7096AF21
SSDEEP:	384:z1G/Ep/DlMf6Qz1ub3chC3qaWxccWurMWr9K/f2iKRKdutw:z1Ke/DuffRPk6ucRrlc/fDKRK4w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - client32.exe (PID: 4164)
- NETSUPPORT has been found (auto)
  - javaw.exe (PID: 5404)
- Create files in the Startup directory
  - javaw.exe (PID: 5404)
- Changes the autorun value in the registry
  - reg.exe (PID: 3156)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 1852)
SUSPICIOUS
- Executable content was dropped or overwritten
  - javaw.exe (PID: 5404)
- Process drops legitimate windows executable
  - javaw.exe (PID: 5404)
- Potential Corporate Privacy Violation
  - javaw.exe (PID: 5404)
- The process drops C-runtime libraries
  - javaw.exe (PID: 5404)
- Process requests binary or script from the Internet
  - javaw.exe (PID: 5404)
- Drop NetSupport executable file
  - javaw.exe (PID: 5404)
- Starts CMD.EXE for commands execution
  - javaw.exe (PID: 5404)
- The executable file from the user directory is run by the CMD process
  - client32.exe (PID: 4164)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 680)
INFO
- Creates files in the program directory
  - javaw.exe (PID: 5404)
- Application based on Java
  - javaw.exe (PID: 5404)
- Create files in a temporary directory
  - javaw.exe (PID: 5404)
- Reads the computer name
  - javaw.exe (PID: 5404)
- Checks supported languages
  - javaw.exe (PID: 5404)
- The sample compiled with english language support
  - javaw.exe (PID: 5404)
- Creates files or folders in the user directory
  - javaw.exe (PID: 5404)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.jar	\|	Java Archive (78.3)
.zip	\|	ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	0x0800
ZipCompression:	None
ZipModifyDate:	2025:05:19 05:01:48
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	META-INF/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

141

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

516

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v FiscalAgent /t REG_SZ /d "C:\Users\admin\Documents\TaxCheckUtility\client32.exe" /f"

C:\Windows\System32\cmd.exe

—

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

812

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1072

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

—

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1852

cmd.exe /c "schtasks /Create /TN "FiscalJob" /TR "C:\Users\admin\Documents\TaxCheckUtility\client32.exe" /SC ONLOGON /RL LIMITED /F /RU "admin""

C:\Windows\System32\cmd.exe

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2096

schtasks /Create /TN "FiscalJob" /TR "C:\Users\admin\Documents\TaxCheckUtility\client32.exe" /SC ONLOGON /RL LIMITED /F /RU "admin"

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3156

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v FiscalAgent /t REG_SZ /d "C:\Users\admin\Documents\TaxCheckUtility\client32.exe" /f

C:\Windows\System32\reg.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4164

"C:\Users\admin\Documents\TaxCheckUtility\client32.exe"

C:\Users\admin\Documents\TaxCheckUtility\client32.exe

—

cmd.exe

User:

admin

Company:

NetSupport Ltd

Integrity Level:

MEDIUM

Description:

NetSupport Client Application

Exit code:

3221225781

Version:

V12.44

Modules

Images
c:\users\admin\documents\taxcheckutility\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4628

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

4652

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

595

Read events

594

Write events

Delete events

Modification events


(PID) Process:	(3156) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	FiscalAgent
Value: C:\Users\admin\Documents\TaxCheckUtility\client32.exe

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\counter.dat		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\kbdibm02.DLL		executable
		MD5:110BB11112903EE1BECE36BABA256754	SHA256:81A6E79F3AC731BB3C7EFBDCAF18DF7662964B8E7907018B1B4551F3562F1B66
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\msvcr100.dll		executable
		MD5:0E37FBFA79D349D672456923EC5FBBE3	SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\ir50_qcx.dll		html
		MD5:1326C16A18441423830933FBB3A6A290	SHA256:3BB40456027C77D05B991E4686F10E51739A6EBDCA3E33EC5EDCD1E2C28B34CF
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\client32.ini		html
		MD5:1326C16A18441423830933FBB3A6A290	SHA256:3BB40456027C77D05B991E4686F10E51739A6EBDCA3E33EC5EDCD1E2C28B34CF
5404	javaw.exe	C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamp		text
		MD5:85E2E5915FD8D3A72D9470ED2699D1CC	SHA256:21F2203A517C0108D7AE675CB5E139BB592C592118F5D2CBF4CA29AFB6BA701C
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\HTCTL32.DLL		executable
		MD5:2D3B207C8A48148296156E5725426C7F	SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\pcicapi.dll		executable
		MD5:DCDE2248D19C778A41AA165866DD52D0	SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\kbd106n.dll		html
		MD5:1326C16A18441423830933FBB3A6A290	SHA256:3BB40456027C77D05B991E4686F10E51739A6EBDCA3E33EC5EDCD1E2C28B34CF
5404	javaw.exe	C:\Users\admin\Documents\TaxCheckUtility\remcmdstub.exe		executable
		MD5:35DA3B727567FAB0C7C8426F1261C7F5	SHA256:89027F1449BE9BA1E56DD82D13A947CB3CA319ADFE9782F4874FBDC26DC59D09

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5404	javaw.exe	HEAD	403	92.113.16.99:80	http://sti-kg.com/settings/	unknown	—	—	unknown
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/client32.ini	unknown	—	—	unknown
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/kbdibm02.DLL	unknown	—	—	malicious
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/HTCTL32.DLL	unknown	—	—	malicious
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/kbd106n.dll	unknown	—	—	unknown
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/pcicapi.dll	unknown	—	—	malicious
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/msvcr100.dll	unknown	—	—	malicious
5404	javaw.exe	GET	200	92.113.16.99:80	http://sti-kg.com/settings/ir50_qcx.dll	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5404	javaw.exe	92.113.16.99:80	sti-kg.com	PJSC Ukrtelecom	UA	malicious
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.66:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2112	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
google.com	142.250.185.174	whitelisted
sti-kg.com	92.113.16.99	malicious
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.66 20.190.160.4 20.190.160.2 20.190.160.64 40.126.32.72 40.126.32.134 20.190.160.14 20.190.160.128	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Threats

PID	Process	Class	Message
5404	javaw.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5404	javaw.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5404	javaw.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5404	javaw.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5404	javaw.exe	A Network Trojan was detected	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
5404	javaw.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5404	javaw.exe	A Network Trojan was detected	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
5404	javaw.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5404	javaw.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5404	javaw.exe	Misc activity	ET INFO Packed Executable Download

Add for printing

No debug info

General Info

72349011.jar

B13F7CCBEDFB71B0211C14AFE0815B36

A292736146839D995E0038815B667B6387BDFE70

41FCBC99F4CDE5934AA31B2EEF9E90ABEA5082AA62493B644FE4ADDA7096AF21

384:z1G/Ep/DlMf6Qz1ub3chC3qaWxccWurMWr9K/f2iKRKdutw:z1Ke/DuffRPk6ucRrlc/fDKRK4w

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

NETSUPPORT has been found (auto)

Create files in the Startup directory

Changes the autorun value in the registry

Uses Task Scheduler to autorun other applications

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Potential Corporate Privacy Violation

The process drops C-runtime libraries

Process requests binary or script from the Internet

Drop NetSupport executable file

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Uses REG/REGEDIT.EXE to modify registry

INFO

Creates files in the program directory

Application based on Java

Create files in a temporary directory

Reads the computer name

Checks supported languages

The sample compiled with english language support

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings