download:

/imystorage/storage/raw/refs/heads/main/JavaUpdater.exe

Full analysis: https://app.any.run/tasks/1f9e446c-0a76-4454-b925-110cacb46479
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 08:44:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
java
evasion
arch-doc
stealer
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:

0344B4B34AC372390B768EC29073BC34

SHA1:

7B4AB7AC5AEA7493C3781E93EE6DDD111CF536BE

SHA256:

93721F9B1EB15465E6DD1D163A69A80D2392652C63C09D8E6C244F0CBEEDA3EB

SSDEEP:

98304:RFogeh9ecCaOhgWBhcFZSC+jzdF3ga+wUUl1HiFBi+dvINqhYT/R0OjTAs92fOFX:BPYkm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • javaw.exe (PID: 6744)

    • Steals credentials from Web Browsers

      • javaw.exe (PID: 6744)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 6744)

    • Uses TASKKILL.EXE to kill Browsers

      • javaw.exe (PID: 6744)

    • Checks for external IP

      • javaw.exe (PID: 6744)

    • Searches for installed software

      • javaw.exe (PID: 6744)

  • INFO

    • Reads the machine GUID from the registry

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Reads the computer name

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Reads the software policy settings

      • JavaUpdater.exe (PID: 6696)

    • Checks supported languages

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Create files in a temporary directory

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • JavaUpdater.exe (PID: 6696)

    • Application based on Java

      • javaw.exe (PID: 6744)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • JavaUpdater.exe (PID: 6696)

    • Creates files in the program directory

      • javaw.exe (PID: 6744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 2378240
InitializedDataSize: 245248
UninitializedDataSize: -
EntryPoint: 0x66880
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaupdater.exe javaw.exe icacls.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6696"C:\Users\admin\Desktop\JavaUpdater.exe" C:\Users\admin\Desktop\JavaUpdater.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\javaupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6744"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\test.jarC:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2989500\javaw.exe
JavaUpdater.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files (x86)\common files\oracle\java\javapath_target_2989500\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6824C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6892taskkill /f /im chrome.exe /tC:\Windows\System32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7032taskkill /f /im msedge.exe /tC:\Windows\System32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7164taskkill /f /im msedgewebview2.exe /tC:\Windows\System32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
4 457
Read events
4 457
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
13
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Autofills\Google_[Chrome]_Default.txttext
MD5:45167002038DEBD853EC9B582593B239
SHA256:3D5E052C2395FA459721EA4110A44DE3431F32C86986FE7928329438BD196022
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tpwd223binary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Screenshot.jpgimage
MD5:0A73A8B19C14EE7826E1AAC599BEE93B
SHA256:99F364E86F9A5F90EBDDE794F9897173995E5EF162CB80A1A06F23F880759A4D
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Cookies\Microsoft_[Edge]_Default.txttext
MD5:50441FCDDE6C24BFC587B9702F2FED7A
SHA256:A198E3BC6B6C3922F6AA8297003E931378693169A11B9B73236CD1C52BBBC7F9
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603trefil1061binary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\InstalledSoftware.txttext
MD5:9B06910AEE102E9F5A27327279192935
SHA256:65E0D446193484CE5ADD7B57B702A637F4F9CEA54DA2ADE040165ABB24D81EDB
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tcookie1114binary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603trefil440binary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Autofills\Microsoft_[Edge]_Default.txttext
MD5:45167002038DEBD853EC9B582593B239
SHA256:3D5E052C2395FA459721EA4110A44DE3431F32C86986FE7928329438BD196022
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tpwd263binary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
35
DNS requests
21
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4668
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4668
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6436
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6436
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
524
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.192:443
www.bing.com
Akamai International B.V.
GB
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6696
JavaUpdater.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
6696
JavaUpdater.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
shared
6744
javaw.exe
104.16.184.241:443
ipv4.icanhazip.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.192
  • 2.23.209.189
  • 2.23.209.193
  • 2.23.209.186
  • 2.23.209.187
  • 2.23.209.132
  • 2.23.209.133
  • 2.23.209.191
  • 2.23.209.188
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.206
whitelisted
github.com
  • 140.82.121.3
shared
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
shared
ipv4.icanhazip.com
  • 104.16.184.241
  • 104.16.185.241
whitelisted
mte3mdcxmtkzmzeznda0ntmwnq.onrender.com
  • 216.24.57.4
  • 216.24.57.252
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Host dynamic web apps service (.onrender .com)
2192
svchost.exe
Misc activity
ET INFO DNS Query to Online Application Hosting Domain (onrender .com)
6744
javaw.exe
Misc activity
ET INFO Observed Online Application Hosting Domain (onrender .com in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/imystorage/storage/raw/refs/heads/main/JavaUpdater.exe