File name:

Prestige-Client-1.0.9.jar

Full analysis: https://app.any.run/tasks/c17e7524-06af-444e-a3b7-27a6e8aa5a58
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 08, 2026, 15:50:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
etherhiding
antivm
anti-evasion
stealer
auto-reg
weedhack
golang
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

DC725827AA0FE47FCE8974A6FA43AB69

SHA1:

E3B3E917156E38D5686487287582B4FE5D2C46DF

SHA256:

86497AEA20CCEB3765BE183F3B05B33C0A034A655EF1BB570B403A63678C5E9B

SSDEEP:

49152:h1p+ltXl5/MIilMymJ8ZuoxEbEWpOGyLHmGXynXwGisFqWMi4oYQ1ixEVR02QW06:hP+15/Mfw8ZlxKclr7X4XwrSmoY/w02D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6104)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 7788)

    • Changes Windows Defender settings

      • cmd.exe (PID: 7788)

    • Get Video Controller Information (POWERSHELL)

      • javaw.exe (PID: 3996)

    • Changes powershell execution policy (Bypass)

      • javaw.exe (PID: 3996)

    • Steals credentials from Web Browsers

      • javaw.exe (PID: 3996)

    • Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

      • powershell.exe (PID: 4956)

    • WEEDHACK has been detected

      • javaw.exe (PID: 2316)

    • Changes the autorun value in the registry

      • javaw.exe (PID: 2316)

  • SUSPICIOUS

    • Application launched itself

      • javaw.exe (PID: 2960)
      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 2316)

    • Executing commands from ".cmd" file

      • javaw.exe (PID: 3996)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7788)
      • cmd.exe (PID: 1652)

    • Adds exclusion path to Windows Defender (POWERSHELL)

      • cmd.exe (PID: 7788)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7788)
      • javaw.exe (PID: 3996)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 7788)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 4136)
      • javaw.exe (PID: 1176)

    • There is functionality for VM detection VMWare (YARA)

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)

    • There is functionality for VM detection antiVM strings (YARA)

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)

    • There is functionality for VM detection VirtualBox (YARA)

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)

    • The process bypasses the loading of PowerShell profile settings

      • javaw.exe (PID: 3996)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6432)
      • powershell.exe (PID: 4956)

    • Possible stealing of messenger data

      • javaw.exe (PID: 3996)

    • Possible stealing from browsers

      • javaw.exe (PID: 3996)

    • Loads DLL from Mozilla Firefox

      • javaw.exe (PID: 3996)

    • Uses NETSH.EXE to obtain data on the network

      • javaw.exe (PID: 3996)

    • Possible stealing from crypto wallets

      • javaw.exe (PID: 3996)

    • Reads the date of Windows installation

      • javaw.exe (PID: 5784)

  • INFO

    • Reads Environment values

      • javaw.exe (PID: 2960)
      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 4136)
      • javaw.exe (PID: 1176)

    • Checks supported languages

      • javaw.exe (PID: 2960)
      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 4136)
      • javaw.exe (PID: 1176)

    • Reads CPU info

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2960)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 4136)
      • javaw.exe (PID: 1176)

    • Create files in a temporary directory

      • javaw.exe (PID: 2960)
      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 4136)
      • javaw.exe (PID: 1176)

    • Reads the computer name

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 1176)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 5784)
      • javaw.exe (PID: 4136)
      • javaw.exe (PID: 1176)

    • Creates files or folders in the user directory

      • javaw.exe (PID: 3996)
      • WerFault.exe (PID: 6096)
      • WerFault.exe (PID: 6936)
      • javaw.exe (PID: 2316)
      • javaw.exe (PID: 1176)

    • Process checks computer location settings

      • javaw.exe (PID: 3996)
      • javaw.exe (PID: 5784)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6104)

    • Manual execution by a user

      • javaw.exe (PID: 5784)

    • Launching a file from a Registry key

      • javaw.exe (PID: 2316)

    • Reads security settings of Internet Explorer

      • javaw.exe (PID: 5784)

    • Detects GO elliptic curve encryption (YARA)

      • javaw.exe (PID: 1176)

    • Application based on Golang

      • javaw.exe (PID: 1176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2026:04:02 17:48:32
ZipCRC: 0xa4c9fed2
ZipCompressedSize: 287
ZipUncompressedSize: 509
ZipFileName: fabric.mod.json
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
27
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start javaw.exe no specs slui.exe javaw.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe werfault.exe msedge.exe werfault.exe netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #WEEDHACK javaw.exe javaw.exe javaw.exe javaw.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
javaw.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3765269347
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1176"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -cp C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\component-735a48b5-2325-486b-8a4c-eb83b061aeae.jar dev.majanito.Main false 69eaa895-066f-42ba-9e48-0c94fd95b50bC:\Program Files\Java\jdk-25.0.2\bin\javaw.exe
javaw.exe
User:
admin
Company:
N/A
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1652cmd.exe /c "mullvad account get"C:\Windows\System32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2316"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -cp C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\SecurityManager.jar dev.majanito.security.Main --dont-elevate --add-to-registryC:\Program Files\Java\jdk-25.0.2\bin\javaw.exe
javaw.exe
User:
admin
Company:
N/A
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2960"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -jar C:\Users\admin\Desktop\Prestige-Client-1.0.9.jarC:\Program Files\Java\jdk-25.0.2\bin\javaw.exeexplorer.exe
User:
admin
Company:
N/A
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
3996"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -jar C:\Users\admin\Desktop\Prestige-Client-1.0.9.jar --jwC:\Program Files\Java\jdk-25.0.2\bin\javaw.exe
javaw.exe
User:
admin
Company:
N/A
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4136"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -cp "C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\SecurityManager.jar" dev.majanito.security.MainC:\Program Files\Java\jdk-25.0.2\bin\javaw.exe
javaw.exe
User:
admin
Company:
N/A
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
25.0.2.0
Modules
Images
c:\program files\java\jdk-25.0.2\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\java\jdk-25.0.2\bin\jli.dll
c:\program files\java\jdk-25.0.2\bin\vcruntime140.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4816netsh wlan show networks mode=bssidC:\Windows\System32\netsh.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4956powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "& { (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
Total events
45 161
Read events
45 159
Write events
2
Delete events
0

Modification events

(PID) Process:(5220) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(2316) javaw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:JavaSecurityUpdater
Value:
"C:\Program Files\Java\jdk-25.0.2\bin\javaw.exe" -cp "C:\Users\admin\AppData\Roaming\Microsoft\SecurityUpdates\SecurityManager.jar" dev.majanito.security.Main
Executable files
15
Suspicious files
12
Text files
31
Unknown types
0

Dropped files

PID
Process
Filename
Type
3996javaw.exeC:\Users\admin\AppData\Local\Temp\lib6938487783814617467.tmpexecutable
MD5:EEF40C937E8DFA6CA7EE737D9902EB1C
SHA256:76B09EC06C812EC6C6464437AD1E931F29983F39EA9A82638FC51C16A78A3C6D
3996javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
3996javaw.exeC:\Users\admin\AppData\Local\Temp\lib17479426004483824652.tmpexecutable
MD5:B6D6A5CFCBECDF925EF3A9122285EBC9
SHA256:558A2A0CF421413CF1FAD17A9B34C0219A9F15BEA300B5DDBA33F41268C54381
6240powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xnffdxxw.rme.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5zjwfgev.wvs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6104powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pzxmmhd0.s3d.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3996javaw.exeC:\Users\admin\AppData\Local\Temp\WinDefConfig.cmdtext
MD5:C925DCFC4CDBDBED3465824646A660FB
SHA256:1B5CA4D2B5EB23041DA0F6EFFDC408D50768701D4140A21C9FBD244F9458D720
6104powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ywlkjmsg.fwu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3996javaw.exeC:\Users\admin\AppData\Local\Temp\jna-1775663460804\jnidispatch.dllexecutable
MD5:2D2475F1F026DD54E9F3E787AE4F81DA
SHA256:5A7FF949F6D93D86491EB5B26B1CFC60051168A60622650224B89995AC420023
6104powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4zvtkub.huc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
86
TCP/UDP connections
93
DNS requests
27
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5316
svchost.exe
POST
400
20.190.157.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
GET
200
1.0.0.1:443
https://cloudflare-dns.com/dns-query?name=eth.llamarpc.com&type=A
AU
text
266 b
unknown
5316
svchost.exe
POST
400
20.190.157.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
200
20.190.157.4:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
3996
javaw.exe
POST
200
51.254.59.59:443
https://eth.api.onfinality.io/public
FR
binary
934 b
malicious
5316
svchost.exe
POST
400
20.190.157.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
7160
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3448
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3448
svchost.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7312
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.24:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3448
svchost.exe
23.216.77.20:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3448
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5208
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5220
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3996
javaw.exe
104.16.248.249:443
cloudflare-dns.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 184.86.251.24
  • 184.86.251.13
  • 184.86.251.27
whitelisted
google.com
  • 142.251.14.113
  • 142.251.14.101
  • 142.251.14.138
  • 142.251.14.139
  • 142.251.14.102
  • 142.251.14.100
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.36
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 23.52.181.212
  • 88.221.169.152
whitelisted
cloudflare-dns.com
  • 104.16.248.249
  • 104.16.249.249
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.157.4
  • 20.190.157.2
  • 20.190.157.0
  • 20.190.157.13
  • 40.126.29.13
  • 40.126.29.12
  • 40.126.29.6
  • 20.190.157.1
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
3996
javaw.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
Misc activity
INFO [ANY.RUN] DDoS-Guard Hosted Web Content observed
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
3996
javaw.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Prestige-Client-1.0.9.jar