File name:

JJSploit_7.3.0_x86_en-US.msi

Full analysis: https://app.any.run/tasks/af20be77-897b-43e1-91e2-a382ebcc33c6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 15, 2024, 20:59:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: Intel;0, Revision Number: {36D30491-2DCB-4793-81F4-D1C07F51C1FB}, Create Time/Date: Tue Sep 12 23:53:30 2023, Last Saved Time/Date: Tue Sep 12 23:53:30 2023, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

9C232FE2EDE51929244AFC5C67E53B51

SHA1:

8E8BB0EDA09D25C1F44B8ABD66A7E15A414B76F5

SHA256:

1985FDBEC700334FBB2C907F37A102930744E6B3E9198C25F516EAE9F6854E9B

SSDEEP:

98304:S0yJkPPCA1o7IW+9Nh8Jg+y6RuRfhmM9DnNUTresAL2+x7SoEXt5xN6Z30rYNw+u:SPMWdFB/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 1572)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1348)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 1348)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • setup.exe (PID: 4080)
      • msiexec.exe (PID: 3652)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 3644)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 3312)
      • msedgewebview2.exe (PID: 4092)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 1348)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • cmd.exe (PID: 1932)
      • msedgewebview2.exe (PID: 3644)
      • cmd.exe (PID: 2496)

    • Process drops legitimate windows executable

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • powershell.exe (PID: 1348)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2848)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 1572)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 1572)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 2904)

    • Reads settings of System Certificates

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1348)

    • Unusual connection from system programs

      • powershell.exe (PID: 1348)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Searches for installed software

      • setup.exe (PID: 4080)

    • Creates a software uninstall entry

      • setup.exe (PID: 4080)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • msedgewebview2.exe (PID: 3644)

  • INFO

    • Checks supported languages

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 2904)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1368)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3312)
      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 3796)
      • msedgewebview2.exe (PID: 3336)
      • msedgewebview2.exe (PID: 3132)
      • msedgewebview2.exe (PID: 1860)
      • msedgewebview2.exe (PID: 4092)

    • Reads the computer name

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 2904)
      • MicrosoftEdgeUpdate.exe (PID: 1368)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 3336)
      • msedgewebview2.exe (PID: 3312)
      • msedgewebview2.exe (PID: 4092)

    • Create files in a temporary directory

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdge_X86_109.0.1518.140.exe (PID: 2984)
      • setup.exe (PID: 4080)
      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 3796)
      • msedgewebview2.exe (PID: 3336)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3652)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 1572)
      • MicrosoftEdgeUpdate.exe (PID: 1368)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 268)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1768)
      • MicrosoftEdgeUpdate.exe (PID: 2260)
      • MicrosoftEdgeUpdate.exe (PID: 268)
      • msedgewebview2.exe (PID: 3644)

    • Application launched itself

      • msedge.exe (PID: 3636)
      • msedge.exe (PID: 1196)

    • Process checks computer location settings

      • msedgewebview2.exe (PID: 3644)
      • msedgewebview2.exe (PID: 1860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: Intel;0
RevisionNumber: {36D30491-2DCB-4793-81F4-D1C07F51C1FB}
CreateDate: 2023:09:12 23:53:30
ModifyDate: 2023:09:12 23:53:30
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
42
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe vssvc.exe no specs powershell.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedge_x86_109.0.1518.140.exe setup.exe microsoftedgeupdate.exe cmd.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedge.exe no specs msedgewebview2.exe no specs msedge.exe no specs msedgewebview2.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezkwMjlCQTZGLTRGMkMtNDU1NC1BRUI2LTIwOThCNTVCNDk2Nn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7MTlGQzFCRDYtOERBRS00MTMxLUIzN0UtRjczNUJCQzczRTFDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjMiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMjQ1NDYiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJERUxMIiBwcm9kdWN0X25hbWU9IkRFTEwiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguMTQwIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1ODc5OTAyMzQzIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTU4Nzk5MDIzNDMiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNjc2ODY1MjM0MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZDg3YTNiYmQtN2ZlNS00ZWMzLWI4MDYtMjkzY2NhNzhiMzYzP1AxPTE3MDg2MzU2MjcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y3cxamJMakglMmY3T3d6ZzBESmNRT3ViT2J3TXRaWjZSMko5Sno5Q1J3T2k1WElmU09lNkpEVGwxS2dtWlB1Z2d4RThyZnM0bVlGWlNkVTF0Wkh4JTJiMVZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTI4NTEyOTY4IiB0b3RhbD0iMTI4NTEyOTY4IiBkb3dubG9hZF90aW1lX21zPSI4NDAwMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2NzY4OTY0ODQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY3OTAyMTQ4NDMiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE3MDA5OTAyMzQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTg0IiBkb3dubG9hZF90aW1lX21zPSI4ODkwNiIgZG93bmxvYWRlZD0iMTI4NTEyOTY4IiB0b3RhbD0iMTI4NTEyOTY4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIyMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
748"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2380 --field-trial-handle=1420,i,14878222221723783125,4215351137121902608,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1196"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_C:\Program Files\Microsoft\Edge\Application\msedge.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1348powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1352"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1412,i,7965464272609942486,11033342698367348696,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1368"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{9029BA6F-4F2C-4554-AEB6-2098B55B4966}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1432"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3800 --field-trial-handle=1420,i,14878222221723783125,4215351137121902608,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1572C:\Users\admin\AppData\Local\Temp\EU33EC.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EU33EC.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\temp\eu33ec.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1632"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1420,i,14878222221723783125,4215351137121902608,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1768"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezkwMjlCQTZGLTRGMkMtNDU1NC1BRUI2LTIwOThCNTVCNDk2Nn0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7RTNGNTlFOTQtREM2Mi00MjhDLUI3RDAtNUU3QkY1RTE3ODREfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjQiIHBoeXNtZW1vcnk9IjMiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMjQ1NDYiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJERUxMIiBwcm9kdWN0X25hbWU9IkRFTEwiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTgxLjUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1ODY2NDY0ODQzIiBpbnN0YWxsX3RpbWVfbXM9IjY3MiIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.181.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
38 375
Read events
34 720
Write events
3 557
Delete events
98

Modification events

(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B00001C090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B0000C00A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B0000180B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004E6687F95160DA01200B00004C0A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A8C889F95160DA01200B0000C00A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A8C889F95160DA01200B00004C0A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000A8C889F95160DA01200B00001C090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000022B8CF95160DA01200B0000180B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Enter)
Value:
4000000000000000347C02FB5160DA01200B0000180B0000010400000100000000000000000000004B18329F9E987446A98BDC6D7B5803B90000000000000000
(PID) Process:(2848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Leave)
Value:
4000000000000000347C02FB5160DA01200B0000180B0000010400000000000000000000000000004B18329F9E987446A98BDC6D7B5803B90000000000000000
Executable files
107
Suspicious files
97
Text files
96
Unknown types
64

Dropped files

PID
Process
Filename
Type
3652msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF4D.tmpexecutable
MD5:4FDD16752561CF585FED1506914D73E0
SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_am.dllexecutable
MD5:27B4625745B0D9036FAEEF288DCDC71F
SHA256:74FEFC1AD1BCA85AE3CDCB197396568E9CCDC3DE9095CC3E787E6E28F9A04487
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdate.dllexecutable
MD5:0BEC55833F356F89B8D9D63727DDC43E
SHA256:B360AFADECB2334BA103D515C506E792CB9AEEA5925A6CF85DBFD786A225FFC3
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateCore.exeexecutable
MD5:3FA9AE698A600FF3422995504CD088C4
SHA256:A8E1533F87AC5273F908FBB67EDB786F231FCAE44B49DD5E6CEB3C777C1F01A9
1348powershell.exeC:\Users\admin\AppData\Local\Temp\wisvcgwe.oyt.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1348powershell.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:2FBE10E4233824FBEA08DDF085D7DF96
SHA256:5B01D964CED28C1FF850B4DE05A71F386ADDD815A30C4A9EE210EF90619DF58E
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exeexecutable
MD5:7750D94E4719BA69F5F83213444C0015
SHA256:1AB31694FF0B6283FBB6EC062D6EAB9FFB26DF9D6D1BA140CF60A8E7A4CB9FE5
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_bs.dllexecutable
MD5:139D647896AF07432B0C810977139FDB
SHA256:0F3D5EA311F13F94B8C0F9BD6C8FE8351CA85A9E92D96B3AC3A54E87A2167833
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\EdgeUpdate.datbinary
MD5:369BBC37CFF290ADB8963DC5E518B9B8
SHA256:3D7EC761BEF1B1AF418B909F1C81CE577C769722957713FDAFBC8131B0A0C7D3
1572MicrosoftEdgeUpdate.exeC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\msedgeupdateres_af.dllexecutable
MD5:CA3B6944F47FB398E4656D7076E3D247
SHA256:D1D58D338DB2F0F885D7E945613C2E6B98CE02534A2635C392CEC04E8C8B5F71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
50
DNS requests
48
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1768
MicrosoftEdgeUpdate.exe
GET
304
173.222.108.195:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d123ac630b302fcd
CH
unknown
1768
MicrosoftEdgeUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
unknown
856
svchost.exe
HEAD
200
104.124.11.33:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d87a3bbd-7fe5-4ec3-b806-293cca78b363?P1=1708635627&P2=404&P3=2&P4=cw1jbLjH%2f7Owzg0DJcQOubObwMtZZ6R2J9Jz9CRwOi5XIfSOe6JDTl1KgmZPuggxE8rfs4mYFZSdU1tZHx%2b1Vw%3d%3d
DE
unknown
1080
svchost.exe
GET
200
2.16.100.155:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0754c686571bd23f
DE
compressed
65.2 Kb
unknown
856
svchost.exe
GET
200
104.124.11.33:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d87a3bbd-7fe5-4ec3-b806-293cca78b363?P1=1708635627&P2=404&P3=2&P4=cw1jbLjH%2f7Owzg0DJcQOubObwMtZZ6R2J9Jz9CRwOi5XIfSOe6JDTl1KgmZPuggxE8rfs4mYFZSdU1tZHx%2b1Vw%3d%3d
DE
executable
122 Mb
unknown
1080
svchost.exe
GET
304
2.16.100.155:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?624d1ab720bef5f8
DE
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1348
powershell.exe
23.211.9.234:443
go.microsoft.com
AKAMAI-AS
DE
unknown
1348
powershell.exe
2.19.11.11:443
msedge.sf.dl.delivery.mp.microsoft.com
Elisa Oyj
NL
unknown
1768
MicrosoftEdgeUpdate.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2260
MicrosoftEdgeUpdate.exe
23.102.129.60:443
msedge.api.cdp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1768
MicrosoftEdgeUpdate.exe
20.189.173.2:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1768
MicrosoftEdgeUpdate.exe
173.222.108.195:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
2248
svchost.exe
239.255.255.250:1900
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.211.9.234
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.19.11.11
  • 2.19.11.6
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 23.102.129.60
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
  • 20.42.65.85
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.195
  • 173.222.108.249
  • 2.16.100.155
  • 2.16.100.169
  • 88.221.110.121
  • 88.221.110.91
  • 88.221.110.64
  • 2.16.100.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 104.124.11.33
  • 104.124.11.35
whitelisted
www.youtube.com
  • 142.250.181.238
  • 142.250.186.174
  • 142.250.186.78
  • 172.217.16.142
  • 142.250.186.142
  • 142.250.74.206
  • 216.58.206.46
  • 172.217.18.14
  • 142.250.186.110
  • 172.217.16.206
  • 216.58.212.174
  • 142.250.186.46
  • 172.217.18.110
  • 172.217.23.110
  • 142.250.185.78
  • 142.250.185.110
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
856
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.wearedevs directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_7.3.0_x86_en-US.msi