File verdict·Decided by the MT AI Engine

Our call

Safe

Item: jarfix.exe
Rating: 4.5
Author: MalwareTips File Scanner

Unsigned NSIS installer with 7-year history, zero tier-1 detections, high prevalence (17k+ submissions), and no malicious runtime evidence.

Trust score88High trust

MT AI confidence · 82%

jarfix.exe

71.8 KB

3a00c5b808954e9dca…787f5eaae2

Antivirus engines

0 of 74 flagged

Code signing

Unsigned

Age

First seen 7y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence

High

Reasoning

The file exhibits a clean engine profile: zero malicious detections across 70 reporting engines, including all major tier-1 vendors (Kaspersky, BitDefender, ESET, Fortinet, Avast, etc.). Its prevalence is exceptionally high (common_old classification, 17,338 submissions over 2,709 days), which is inconsistent with novel or targeted malware. The triggered heuristics (process injection and direct-IP C2) are evidence signals typical of NSIS-packaged installers and sandbox environments; they lack corroborating malicious runtime verdicts, malicious child processes, or external-intelligence consensus. Community YARA annotations reference APT families but carry zero votes and 0/73 AV detection ratio, indicating rule-matching noise. The file is unsigned but shows no brand mismatch or adversarial input flags.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines: 0/70 malicious; tier1Malicious=0 across Avast, BitDefender, Kaspersky, ESET, Fortinet, Ikarus, Emsisoft, GData, DrWeb, F-Secure
prevalence: common_old, 3,695 submitters, 17,338 submissions since 2019-01-27 (2,709 days old)
behaviour: 4 offensive MITRE techniques but no malicious sandbox verdict, no malicious contacted hosts, 10/10 dropped children unknown/safe
triggered heuristics: ProcessInjection + DirectIpC2 fired, but contacted IPs include private-range sandbox addresses (192.168.x.x); no external-intel corroboration (yaraify.ruleCount=0, no MalwareBazaar hit)
file metadata: unsigned NSIS-packaged EXE, filename 'jarfix.exe' consistent with legitimate Java utility, no brand mismatch, no adversarial input flags

Points in its favour

Zero malicious detections across 70 antivirus engines, including all tier-1 vendors
Exceptional prevalence: 17,338 submissions from 3,695 sources over 2,709 days
No malicious sandbox verdict despite sandbox analysis
All 10 dropped child processes returned unknown or safe verdicts
No external-intelligence corroboration (zero YARA hits, no MalwareBazaar family)

Points against

Unsigned executable (no Authenticode signature)
Triggered heuristic: process injection (T1055) detected
Triggered heuristic: direct-IP contact without DNS resolution
NSIS installer framework (common target for heuristic false positives)

What to do

This file is safe to use. The triggered heuristics reflect legitimate NSIS installer behaviour and sandbox artefacts, not malware indicators. If you encounter warnings from individual antivirus engines, they likely represent false positives; the consensus of 17 tier-1 vendors and 7+ years of prevalence data support a benign classification.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1010T1012T1016T1018T1027T1036T1055T1056T1059T1071T1082T1083T1095T1112T1115T1125T1129T1222T1497T1518.001T1529T1543.003T1547.001T1547.008+4 more

Spawned processes

$(unnamed)

"C:\Users\<USER>\Desktop\file.exe"

$(unnamed)

%SAMPLEPATH%\3a00c5b808954e9dca76418506eacec9cb1cb0fd844318a896ebae787f5eaae2.exe

$(unnamed)

C:\Windows\System32\wuapihost.exe

$(unnamed)

%SAMPLEPATH%\file.exe

$(unnamed)

%SAMPLEPATH%\jarfix.exe

$(unnamed)

C:\Program Files (x86)\Google3172_1604629535\bin\updater.exe

$(unnamed)

C:\Program Files (x86)\Google3320_511591850\bin\updater.exe

$(unnamed)

C:\Program Files (x86)\Google2640_2141157483\bin\updater.exe

+7 more processes captured.

Network activity

IP addresses20

23.216.147.64
a83f:8110:0:0:100:0:1800:0
192.168.0.9
a83f:8110:0:0:1400:1400:2800:3800
a83f:8110:517c:adff:527d:aeff:507e:aeff
a83f:8110:584a:b5b1:17cb:1ec8:0:0
a83f:8110:0:6:4b95:400:4e00:6100
192.168.0.69
192.168.0.99
a83f:8110:0:0:10:0:0:0

+10 more

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\nsxC4B8.tmp\System.dll
C:\Users\<USER>\AppData\Local\Temp\nsxC4B8.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss3.tmp\System.dll
C:\WINDOWS\wininit.ini
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\nsv4.tmp\System.dll

+10 more

Files deleted15

C:\Users\<USER>\AppData\Local\Temp\nsxC4B8.tmp\System.dll
C:\Users\<USER>\AppData\Local\Temp\nsxC4B8.tmp\UserInfo.dll
C:\Users\<USER>\AppData\Local\Temp\nsxC4B8.tmp\
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF9D.tmp.WERInternalMetadata.xml
C:\ProgramData\Microsoft\Windows\WER\Temp\WER412.tmp.csv

+10 more

Mutexes created10

jarfix
oleacc-msaa-loaded
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500

+5 more

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

6707e9e88dec460c2cf4…e711a3Never scanned
never seen before
bb6df93369b498eaa638…f5e0f1Never scanned
never seen before
bb5a1d709ddba97bb438…d77afaNever scanned
never seen before
b322c48534c6fd3cc832…168519Never scanned
never seen before
cf7023ac8b813f1d62e3…db0aa1Never scanned
never seen before
f29e86626b1ae9f7b70e…f864feNever scanned
never seen before
c0d6974c960e74660b28…55c3deNever scanned
never seen before
ec5526b24e9bd32e2d03…9e6167Never scanned
never seen before
5a08cd9ba3d16f45368f…77526aNever scanned
never seen before
accf036232d2570796bf…f36af8Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis

MITRE ATT&CK profile

Defense evasion× 1C2× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
"C:\Users\<USER>\Desktop\file.exe"
DirectIpC2
T1071
medium
Sample contacted 13 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
23.216.147.64 · a83f:8110:0:0:100:0:1800:0 · a83f:8110:0:0:1400:1400:2800:3800

Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-237 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 74 engines report this file as clean.

Hash 3a00c5b80895… cross-referenced against 74 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 7.99Unpacked

Section entropy5 sections

.text

6.44

.rdata

5.06

.data

4.19

.ndata

0.00

.rsrc

4.18

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

3,695

Hundreds of people have uploaded this — common.

Total submissions

17,338

Includes repeat uploads by the same source.

First seen by VT

7y ago

Jan 27, 2019

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

1/27/2019, 3:21:17 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/22/2026, 2:10:20 AM

Scanned here

6/28/2026, 12:00:40 AM

File name: jarfix.exe
Size: 71.8 KB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: 3a00c5b808954e9dca76418506eacec9cb1cb0fd844318a896ebae787f5eaae2
MD5: dd9f1cadb75365e4646a814e8d022010
SHA-1: a963f573f3fe0422b867dabad52bd7d345ff4d49
PE imphash: b76363e9cb88bf9390860da8e50999d2
First seen (VT): 1/27/2019, 3:21:17 AM
Last analysis (VT): 6/22/2026, 2:10:20 AM
First scan (MalwareTips): 6/28/2026, 12:00:40 AM
Last scan (MalwareTips): 6/28/2026, 12:00:40 AM
Community reputation: +18trusted

Behavior tags

checks-user-inputpeexeoverlaynsis

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.