File name:

JJSploit_7.3.0_x86_en-US.msi

Full analysis: https://app.any.run/tasks/af20be77-897b-43e1-91e2-a382ebcc33c6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 15, 2024, 20:59:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: Intel;0, Revision Number: {36D30491-2DCB-4793-81F4-D1C07F51C1FB}, Create Time/Date: Tue Sep 12 23:53:30 2023, Last Saved Time/Date: Tue Sep 12 23:53:30 2023, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

9C232FE2EDE51929244AFC5C67E53B51

SHA1:

8E8BB0EDA09D25C1F44B8ABD66A7E15A414B76F5

SHA256:

1985FDBEC700334FBB2C907F37A102930744E6B3E9198C25F516EAE9F6854E9B

SSDEEP:

98304:S0yJkPPCA1o7IW+9Nh8Jg+y6RuRfhmM9DnNUTresAL2+x7SoEXt5xN6Z30rYNw+u:SPMWdFB/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3652)
      • powershell.exe (PID: 1348)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • setup.exe (PID: 4080)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1348)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 1572)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 3644)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 3312)
      • msedgewebview2.exe (PID: 4092)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1348)
      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 1572)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2848)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)

    • Reads the Internet Settings

      • powershell.exe (PID: 1348)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • cmd.exe (PID: 1932)
      • cmd.exe (PID: 2496)
      • msedgewebview2.exe (PID: 3644)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 1572)

    • Reads settings of System Certificates

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Unusual connection from system programs

      • powershell.exe (PID: 1348)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1348)

    • Searches for installed software

      • setup.exe (PID: 4080)

    • Creates a software uninstall entry

      • setup.exe (PID: 4080)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • msedgewebview2.exe (PID: 3644)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 2904)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3652)

    • Checks supported languages

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 2904)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 1368)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3312)
      • msedgewebview2.exe (PID: 3796)
      • msedgewebview2.exe (PID: 3336)
      • msedgewebview2.exe (PID: 3132)
      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 4092)
      • msedgewebview2.exe (PID: 1860)

    • Reads the computer name

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 2904)
      • MicrosoftEdgeUpdate.exe (PID: 1368)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 3336)
      • msedgewebview2.exe (PID: 4092)
      • msedgewebview2.exe (PID: 3312)

    • Create files in a temporary directory

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)
      • msedgewebview2.exe (PID: 3796)
      • msedgewebview2.exe (PID: 3336)
      • msedgewebview2.exe (PID: 3644)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 1368)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Application launched itself

      • msedge.exe (PID: 1196)
      • msedge.exe (PID: 3636)

    • Process checks computer location settings

      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 1860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: Intel;0
RevisionNumber: {36D30491-2DCB-4793-81F4-D1C07F51C1FB}
CreateDate: 2023:09:12 23:53:30
ModifyDate: 2023:09:12 23:53:30
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
42
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe vssvc.exe no specs powershell.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedge_x86_109.0.1518.140.exe setup.exe microsoftedgeupdate.exe cmd.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedge.exe no specs msedgewebview2.exe no specs msedge.exe no specs msedgewebview2.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezkwMjlCQTZGLTRGMkMtNDU1NC1BRUI2LTIwOThCNTVCNDk2Nn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7MTlGQzFCRDYtOERBRS00MTMxLUIzN0UtRjczNUJCQzczRTFDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjMiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMjQ1NDYiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJERUxMIiBwcm9kdWN0X25hbWU9IkRFTEwiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguMTQwIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1ODc5OTAyMzQzIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTU4Nzk5MDIzNDMiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNjc2ODY1MjM0MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZDg3YTNiYmQtN2ZlNS00ZWMzLWI4MDYtMjkzY2NhNzhiMzYzP1AxPTE3MDg2MzU2MjcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y3cxamJMakglMmY3T3d6ZzBESmNRT3ViT2J3TXRaWjZSMko5Sno5Q1J3T2k1WElmU09lNkpEVGwxS2dtWlB1Z2d4RThyZnM0bVlGWlNkVTF0Wkh4JTJiMVZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTI4NTEyOTY4IiB0b3RhbD0iMTI4NTEyOTY4IiBkb3dubG9hZF90aW1lX21zPSI4NDAwMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2NzY4OTY0ODQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY3OTAyMTQ4NDMiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE3MDA5OTAyMzQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTg0IiBkb3dubG9hZF90aW1lX21zPSI4ODkwNiIgZG93bmxvYWRlZD0iMTI4NTEyOTY4IiB0b3RhbD0iMTI4NTEyOTY4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIyMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
748"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2380 --field-trial-handle=1420,i,14878222221723783125,4215351137121902608,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1196"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_C:\Program Files\Microsoft\Edge\Application\msedge.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1348powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1352"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1412,i,7965464272609942486,11033342698367348696,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1368"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{9029BA6F-4F2C-4554-AEB6-2098B55B4966}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1432"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3800 --field-trial-handle=1420,i,14878222221723783125,4215351137121902608,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1572C:\Users\admin\AppData\Local\Temp\EU33EC.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EU33EC.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\temp\eu33ec.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1632"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1420,i,14878222221723783125,4215351137121902608,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1768"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezkwMjlCQTZGLTRGMkMtNDU1NC1BRUI2LTIwOThCNTVCNDk2Nn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7RTNGNTlFOTQtREM2Mi00MjhDLUI3RDAtNUU3QkY1RTE3ODREfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjMiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMjQ1NDYiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJERUxMIiBwcm9kdWN0X25hbWU9IkRFTEwiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTgxLjUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1ODY2NDY0ODQzIiBpbnN0YWxsX3RpbWVfbXM9IjY3MiIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
38 375
Read events
34 720
Write events
3 557
Delete events
98

Modification events

(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B00001C090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B0000C00A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B0000180B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B00004C0A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A8C889F95160DA01200B0000C00A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A8C889F95160DA01200B00004C0A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A8C889F95160DA01200B00001C090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000022B8CF95160DA01200B0000180B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Enter)
Value:
4000000000000000347C02FB5160DA01200B0000180B0000010400000100000000000000000000004B18329F9E987446A98BDC6D7B5803B90000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Leave)
Value:
4000000000000000347C02FB5160DA01200B0000180B0000010400000000000000000000000000004B18329F9E987446A98BDC6D7B5803B90000000000000000
Executable files
107
Suspicious files
97
Text files
96
Unknown types
64

Dropped files

PID
Process
Filename
Type
1348powershell.exeC:\Users\admin\AppData\Local\Temp\wisvcgwe.oyt.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_am.dllexecutable
MD5:27B4625745B0D9036FAEEF288DCDC71F
SHA256:74FEFC1AD1BCA85AE3CDCB197396568E9CCDC3DE9095CC3E787E6E28F9A04487
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_az.dllexecutable
MD5:EA96F65E817AC6899D6732CD880F744E
SHA256:06BFC34D181852321498C49FAD36701A5F854AD6E5588AF9E141A5CEF838165F
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeComRegisterShellARM64.exeexecutable
MD5:9540AD83A08605BA1F52196424CE3067
SHA256:B0B5D9EB6F4B176BDFBE4DA0A060AD1B76C813186FAE3D9A6E1B1DD9EE0D01D1
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_bs.dllexecutable
MD5:139D647896AF07432B0C810977139FDB
SHA256:0F3D5EA311F13F94B8C0F9BD6C8FE8351CA85A9E92D96B3AC3A54E87A2167833
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_bn.dllexecutable
MD5:4AB2B866301DA9FFD1A2D9E1D2828698
SHA256:CFFFD594B203016E13FA74C5382C1C6B46F7D3F0817EB4D649FEAF3350A401F0
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_bn-IN.dllexecutable
MD5:C4457C581AFBF9E1903FB309D8D08BF7
SHA256:F409B1CCE73799D3ED0FBAAB72C3331CC597787680E2FC9DCD9E2803F62E006E
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_bg.dllexecutable
MD5:4328BF6228C408CAE033FB4ACCA65640
SHA256:73A10A15A4BE54F85E4103A994C8A628C34034D085C40627FB4F18B499379DE8
3652msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF4D.tmpexecutable
MD5:4FDD16752561CF585FED1506914D73E0
SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\EdgeUpdate.datbinary
MD5:369BBC37CFF290ADB8963DC5E518B9B8
SHA256:3D7EC761BEF1B1AF418B909F1C81CE577C769722957713FDAFBC8131B0A0C7D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
50
DNS requests
48
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1768
MicrosoftEdgeUpdate.exe
GET
304
173.222.108.195:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d123ac630b302fcd
unknown
unknown
856
svchost.exe
HEAD
200
104.124.11.33:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d87a3bbd-7fe5-4ec3-b806-293cca78b363?P1=1708635627&P2=404&P3=2&P4=cw1jbLjH%2f7Owzg0DJcQOubObwMtZZ6R2J9Jz9CRwOi5XIfSOe6JDTl1KgmZPuggxE8rfs4mYFZSdU1tZHx%2b1Vw%3d%3d
unknown
unknown
856
svchost.exe
GET
200
104.124.11.33:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d87a3bbd-7fe5-4ec3-b806-293cca78b363?P1=1708635627&P2=404&P3=2&P4=cw1jbLjH%2f7Owzg0DJcQOubObwMtZZ6R2J9Jz9CRwOi5XIfSOe6JDTl1KgmZPuggxE8rfs4mYFZSdU1tZHx%2b1Vw%3d%3d
unknown
executable
122 Mb
unknown
1080
svchost.exe
GET
304
2.16.100.155:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?624d1ab720bef5f8
unknown
compressed
65.2 Kb
unknown
1768
MicrosoftEdgeUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
200
2.16.100.155:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0754c686571bd23f
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1348
powershell.exe
23.211.9.234:443
go.microsoft.com
AKAMAI-AS
DE
unknown
1348
powershell.exe
2.19.11.11:443
msedge.sf.dl.delivery.mp.microsoft.com
Elisa Oyj
NL
unknown
1768
MicrosoftEdgeUpdate.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2260
MicrosoftEdgeUpdate.exe
23.102.129.60:443
msedge.api.cdp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1768
MicrosoftEdgeUpdate.exe
20.189.173.2:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1768
MicrosoftEdgeUpdate.exe
173.222.108.195:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
2248
svchost.exe
239.255.255.250:1900
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.211.9.234
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.19.11.11
  • 2.19.11.6
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 23.102.129.60
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
  • 20.42.65.85
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.195
  • 173.222.108.249
  • 2.16.100.155
  • 2.16.100.169
  • 88.221.110.121
  • 88.221.110.91
  • 88.221.110.64
  • 2.16.100.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 104.124.11.33
  • 104.124.11.35
whitelisted
www.youtube.com
  • 142.250.181.238
  • 142.250.186.174
  • 142.250.186.78
  • 172.217.16.142
  • 142.250.186.142
  • 142.250.74.206
  • 216.58.206.46
  • 172.217.18.14
  • 142.250.186.110
  • 172.217.16.206
  • 216.58.212.174
  • 142.250.186.46
  • 172.217.18.110
  • 172.217.23.110
  • 142.250.185.78
  • 142.250.185.110
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
856
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.wearedevs directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_7.3.0_x86_en-US.msi