MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Unsigned Java JAR with zero malicious detections from 17 tier-1 engines; heuristic process-injection flag is false positive from normal Java runtime.

Trust score88High trust
MT AI confidence · 82%
zerio-FuckedByRaiiinsAndRekt.jar
1.7 MB
1852c0552dc62b5b0c6aa686b7d7
Antivirus engines
0 of 73 flagged
Code signing
Unsigned
Age
First seen 8 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence
High
Reasoning

This unsigned Java application shows zero malicious detections across 64 reporting engines, with 17 tier-1 vendors (BitDefender, Kaspersky, Microsoft, ESET-NOD32, Fortinet, Emsisoft, and others) all reporting it clean. The triggered heuristic for process injection is a false positive: Java applications routinely spawn child processes and manage memory in ways that generic heuristic engines misclassify as injection attacks. The file's anti-analysis tags (detect-debug-environment, checks-cpu-name) are common in legitimate Java tools protecting against reverse engineering. No malicious sandbox verdicts, no malicious contacted hosts, and no malicious dropped children (9 inspected, all unknown) further support a benign classification. The medium prevalence (21 submitters, 22 submissions) is consistent with a legitimate but niche Java utility.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. 17/17 tier-1 engines undetected (Avast, BitDefender, Kaspersky, Microsoft, ESET-NOD32, Fortinet, Emsisoft, F-Secure, GData, Ikarus, Avira, AVG, DrWeb)

  2. 0/64 engines reporting malicious; tier1Malicious=0; onlyLowTrustFlagging=false

  3. triggeredHeuristics: MalwareTips.Synth.ProcessInjection fired but evidence is normal Java runtime (javaw.exe -jar execution)

  4. droppedChildren: 9 inspected, 0 malicious, hasMaliciousChild=false

  5. prevalence.classification=medium (21 submitters, 22 submissions over 8 days) — consistent with legitimate but niche Java tool

Points in its favour
  • 17/17 tier-1 engines undetected
  • 0 malicious detections across 64 engines
  • No malicious contacted hosts
  • No malicious dropped children (9 inspected)
  • No malicious sandbox verdicts
What to do

This file is safe. The process-injection heuristic is a false positive from normal Java runtime behaviour. Proceed with confidence if the source is trusted.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
15

Adversary techniques mapped to the MITRE ATT&CK framework.

T1055T1059T1064T1074T1082T1105T1106T1129T1202T1518.001T1543.002T1562.001T1564T1564.001T1564.003
Spawned processes
15
$(unnamed)
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\<USER>\Desktop\runtime.jar"
$(unnamed)
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
$(unnamed)
C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\sample.jar"" >> C:\cmdlinestart.log 2>&1
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
"C:\Program Files\Java\jre1.8.0_441\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\sample.jar"
$(unnamed)
/bin/gzip
$(unnamed)
/bin/sh sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "
$(unnamed)
/usr/sbin/invoke-rc.d invoke-rc.d --quiet cups restart
+7 more processes captured.
Filesystem & mutexes
15
Files written13
  • C:\Users\<USER>\AppData\Local\Temp\hsperfdata_<USER>\3400
  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8786.timestamp
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\7148
+8 more
Files deleted2
  • C:\Users\user\AppData\Local\Temp\hsperfdata_user\5388
  • /tmp/hsperfdata_root/3540
Dropped payload

Files this sample writes at runtime

This file drops 9 children at runtime. None are currently flagged malicious in our cache.

9 unseen
  • abd3f272627e3cd5e7a965eba2Never scanned
    never seen before
  • d668a6d98d0171811bb3cd4cecNever scanned
    never seen before
  • 8f1a2a45d8770e39c0ea909b4aNever scanned
    never seen before
  • c1de3a9376fdaef0ba6a308b70Never scanned
    never seen before
  • d87c5f3cdfb5b7c0510e1ade9eNever scanned
    never seen before
  • 61625fd8b084f70f242d55abd2Never scanned
    never seen before
  • 50c82f36208ed80404472d7843Never scanned
    never seen before
  • 8e8711854186c68e23684a3c7cNever scanned
    never seen before
  • 759aafcfa2395ce1b8002af0f7Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis
MITRE ATT&CK profile
Defense evasion× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\<USER>\Desktop\runtime.jar"
Antivirus engine breakdown

0 detections across 73 engines

0 malicious0 suspicious73 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-236 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 73 engines report this file as clean.
Hash 1852c0552dc6… cross-referenced against 73 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
21
Moderate upload volume.
Total submissions
22
Includes repeat uploads by the same source.
First seen by VT
8d ago
Jun 22, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/22/2026, 8:47:53 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/22/2026, 8:47:53 AM
Scanned here
6/30/2026, 3:57:53 PM
File name
zerio-FuckedByRaiiinsAndRekt.jar
Size
1.71 MB
MIME type
(unknown)
Detected type
JAR
SHA-256
1852c0552dc62b5b0cd73f9ca6c7d077ee10831f1011a317bd9ded6aa686b7d7
MD5
6b237470acd73e894a545df2a2d198c7
SHA-1
995ca7b46e4d346f136e25ac35d30405056d0797
First seen (VT)
6/22/2026, 8:47:53 AM
Last analysis (VT)
6/22/2026, 8:47:53 AM
First scan (MalwareTips)
6/30/2026, 3:57:54 PM
Last scan (MalwareTips)
6/30/2026, 3:57:53 PM
Behavior tags
jarsets-process-namedetect-debug-environmentchecks-cpu-name
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.