download:

/imystorage/storage/raw/refs/heads/main/JavaUpdater.exe

Full analysis: https://app.any.run/tasks/1f9e446c-0a76-4454-b925-110cacb46479
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 08:44:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
java
evasion
arch-doc
stealer
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:

0344B4B34AC372390B768EC29073BC34

SHA1:

7B4AB7AC5AEA7493C3781E93EE6DDD111CF536BE

SHA256:

93721F9B1EB15465E6DD1D163A69A80D2392652C63C09D8E6C244F0CBEEDA3EB

SSDEEP:

98304:RFogeh9ecCaOhgWBhcFZSC+jzdF3ga+wUUl1HiFBi+dvINqhYT/R0OjTAs92fOFX:BPYkm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • javaw.exe (PID: 6744)

    • Steals credentials from Web Browsers

      • javaw.exe (PID: 6744)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill Browsers

      • javaw.exe (PID: 6744)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 6744)

    • Searches for installed software

      • javaw.exe (PID: 6744)

    • Checks for external IP

      • javaw.exe (PID: 6744)

  • INFO

    • Create files in a temporary directory

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Reads the software policy settings

      • JavaUpdater.exe (PID: 6696)

    • Reads the computer name

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Reads the machine GUID from the registry

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Checks supported languages

      • JavaUpdater.exe (PID: 6696)
      • javaw.exe (PID: 6744)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • JavaUpdater.exe (PID: 6696)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • JavaUpdater.exe (PID: 6696)

    • Application based on Java

      • javaw.exe (PID: 6744)

    • Creates files in the program directory

      • javaw.exe (PID: 6744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 2378240
InitializedDataSize: 245248
UninitializedDataSize: -
EntryPoint: 0x66880
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaupdater.exe javaw.exe icacls.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6696"C:\Users\admin\Desktop\JavaUpdater.exe" C:\Users\admin\Desktop\JavaUpdater.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\javaupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6744"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\test.jarC:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2989500\javaw.exe
JavaUpdater.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files (x86)\common files\oracle\java\javapath_target_2989500\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6824C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6892taskkill /f /im chrome.exe /tC:\Windows\System32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7032taskkill /f /im msedge.exe /tC:\Windows\System32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7164taskkill /f /im msedgewebview2.exe /tC:\Windows\System32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
4 457
Read events
4 457
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
13
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Passwords.txttext
MD5:45167002038DEBD853EC9B582593B239
SHA256:3D5E052C2395FA459721EA4110A44DE3431F32C86986FE7928329438BD196022
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tpwd223binary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Cookies\Microsoft_[Edge]_Default.txttext
MD5:50441FCDDE6C24BFC587B9702F2FED7A
SHA256:A198E3BC6B6C3922F6AA8297003E931378693169A11B9B73236CD1C52BBBC7F9
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tcookie1159sqlite
MD5:46D9FCA6032297F8AEE08D73418312BA
SHA256:865856FA4C33C4AEE52E15FBB370B6611468FE947E76E197F0E50D0AD62CB1B4
6744javaw.exeC:\Users\admin\AppData\Local\Temp\sqlite-3.16.1-8e11a339-bc09-4e3c-97f4-c5c305a904f5-sqlitejdbc.dllexecutable
MD5:9C4561424375F1B2DCFECF4475A7FFAB
SHA256:4B3AED110D181A5DC912DD9FC115BB6DB6B268C8025C22C117F41AA30098D6A4
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tstatebinary
MD5:DFFC82B8D23613E62A20204028CEF32F
SHA256:114690F0417A9A6B079EA8D0534F095B04467809DCA929EB0983059E1C60FB6C
6744javaw.exeC:\Users\admin\AppData\Local\Temp\jna-92668751\jna7950205421732756522.dllexecutable
MD5:DF304E40060A89CF6AFA88EB734244D3
SHA256:783921600B3AE8B7CFAB93B342D56A6FF0072C8C3E54938B83D62426B4C5ECC8
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Autofills\Microsoft_[Edge]_Default.txttext
MD5:45167002038DEBD853EC9B582593B239
SHA256:3D5E052C2395FA459721EA4110A44DE3431F32C86986FE7928329438BD196022
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603tcookie1114binary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
6744javaw.exeC:\Users\admin\AppData\Local\Temp\NS-72431568603\Autofills\Google_[Chrome]_Default.txttext
MD5:45167002038DEBD853EC9B582593B239
SHA256:3D5E052C2395FA459721EA4110A44DE3431F32C86986FE7928329438BD196022
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
35
DNS requests
21
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4668
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6436
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4668
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6436
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
524
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.192:443
www.bing.com
Akamai International B.V.
GB
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6696
JavaUpdater.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
6696
JavaUpdater.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
shared
6744
javaw.exe
104.16.184.241:443
ipv4.icanhazip.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.192
  • 2.23.209.189
  • 2.23.209.193
  • 2.23.209.186
  • 2.23.209.187
  • 2.23.209.132
  • 2.23.209.133
  • 2.23.209.191
  • 2.23.209.188
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.206
whitelisted
github.com
  • 140.82.121.3
shared
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
shared
ipv4.icanhazip.com
  • 104.16.184.241
  • 104.16.185.241
whitelisted
mte3mdcxmtkzmzeznda0ntmwnq.onrender.com
  • 216.24.57.4
  • 216.24.57.252
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Host dynamic web apps service (.onrender .com)
2192
svchost.exe
Misc activity
ET INFO DNS Query to Online Application Hosting Domain (onrender .com)
6744
javaw.exe
Misc activity
ET INFO Observed Online Application Hosting Domain (onrender .com in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/imystorage/storage/raw/refs/heads/main/JavaUpdater.exe