File name:

JJSploit_8.10.14_x64_en-US.msi

Full analysis: https://app.any.run/tasks/2aa7037a-20c2-40c2-90b9-6b3dd014427b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 19:13:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
github
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: x64;0, Revision Number: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}, Create Time/Date: Sun Nov 17 18:07:42 2024, Last Saved Time/Date: Sun Nov 17 18:07:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

9A5E4420FD429B7444E7F02B2B52D0BC

SHA1:

056E5AC7EF1334698F4337435985A2D6A52AE059

SHA256:

44EF9C095FDC078CAD8648BC9EC75F744D2C72229EE427EAC65FBC1859E57172

SSDEEP:

98304:SEGR+Uio9dIBZX+JmT9CnGBKylVdlfkD3KHag2oZ7eljaj4y9lyDVOgupN5gE7l3:fl0HSa1Ar

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7080)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 1804)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 2076)
      • msedgewebview2.exe (PID: 1412)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 5392)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6660)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6060)

    • Manipulates environment variables

      • powershell.exe (PID: 7080)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6060)

    • Starts process via Powershell

      • powershell.exe (PID: 7080)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6060)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7080)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7080)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • JJSploit.exe (PID: 6972)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3364)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 3544)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5096)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • msiexec.exe (PID: 6604)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 1804)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6484)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 3208)

    • Application launched itself

      • setup.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5520)

    • Creates a software uninstall entry

      • setup.exe (PID: 4164)

    • Searches for installed software

      • setup.exe (PID: 4164)
      • msedgewebview2.exe (PID: 5392)

    • The process checks if it is being run in the virtual environment

      • JJSploit.exe (PID: 6972)
      • JJSploit.exe (PID: 5964)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 6604)
      • msiexec.exe (PID: 6060)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3544)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3364)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5096)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • setup.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 2076)
      • msedgewebview2.exe (PID: 2600)
      • JJSploit.exe (PID: 5964)
      • msedgewebview2.exe (PID: 7156)
      • msedgewebview2.exe (PID: 1412)
      • msedgewebview2.exe (PID: 5520)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4392)
      • msiexec.exe (PID: 6060)

    • An automatically generated document

      • msiexec.exe (PID: 4392)

    • Checks supported languages

      • msiexec.exe (PID: 6604)
      • msiexec.exe (PID: 6060)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3544)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5096)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3364)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • setup.exe (PID: 4968)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 6204)
      • msedgewebview2.exe (PID: 2600)
      • msedgewebview2.exe (PID: 2076)
      • msedgewebview2.exe (PID: 2292)
      • msedgewebview2.exe (PID: 6240)
      • msedgewebview2.exe (PID: 3080)
      • JJSploit.exe (PID: 5964)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 1412)
      • msedgewebview2.exe (PID: 7156)
      • msedgewebview2.exe (PID: 7084)
      • msedgewebview2.exe (PID: 1540)
      • msedgewebview2.exe (PID: 4872)

    • Manages system restore points

      • SrTasks.exe (PID: 6948)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6060)

    • Checks proxy server information

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5520)
      • JJSploit.exe (PID: 5964)

    • Disables trace logs

      • powershell.exe (PID: 7080)

    • The process uses the downloaded file

      • powershell.exe (PID: 7080)
      • msiexec.exe (PID: 6604)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)

    • The sample compiled with english language support

      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • powershell.exe (PID: 7080)
      • svchost.exe (PID: 6484)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • JJSploit.exe (PID: 6972)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • svchost.exe (PID: 6484)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • setup.exe (PID: 4968)
      • msedgewebview2.exe (PID: 6204)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 2600)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 7156)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • setup.exe (PID: 4164)
      • msiexec.exe (PID: 6604)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 6240)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 1540)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • JJSploit.exe (PID: 6972)
      • JJSploit.exe (PID: 5964)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Sends debugging messages

      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5520)
      • JJSploit.exe (PID: 5964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: x64;0
RevisionNumber: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}
CreateDate: 2024:11:17 18:07:42
ModifyDate: 2024:11:17 18:07:42
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
37
Malicious processes
15
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe microsoftedge_x64_131.0.2903.99.exe setup.exe setup.exe no specs microsoftedgeupdate.exe jjsploit.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs jjsploit.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,5487833063467030404,13199611563079697893,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1856 /prefetch:2C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1540"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3552,i,5487833063467030404,13199611563079697893,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804C:\Users\admin\AppData\Local\Temp\EUD98B.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EUD98B.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.39
Modules
Images
c:\users\admin\appdata\local\temp\eud98b.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2076"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1872,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1868 /prefetch:2C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2292"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2424,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2572"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{252FD92B-4F3B-43B5-AE48-A78AC2FFFC17}\MicrosoftEdge_X64_131.0.2903.99.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{252FD92B-4F3B-43B5-AE48-A78AC2FFFC17}\MicrosoftEdge_X64_131.0.2903.99.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{252fd92b-4f3b-43b5-ae48-a78ac2fffc17}\microsoftedge_x64_131.0.2903.99.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
2600"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2120,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3080"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4476,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3208"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3364"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
29 513
Read events
24 718
Write events
4 710
Delete events
85

Modification events

(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000003FEC97575C4EDB01AC170000F4190000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000003FEC97575C4EDB01AC170000F4190000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000014159F575C4EDB01AC170000F4190000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000462B55575C4EDB01AC170000F4190000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000462B55575C4EDB01AC170000F4190000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000BF629A575C4EDB01AC170000F4190000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000AF8311585C4EDB01AC170000F4190000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6660) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000017CB1F585C4EDB01041A0000241A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6660) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000017CB1F585C4EDB01041A0000201A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6660) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000017CB1F585C4EDB01041A0000801A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
227
Suspicious files
187
Text files
64
Unknown types
26

Dropped files

PID
Process
Filename
Type
6060msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6060msiexec.exeC:\Windows\Installer\13b9dd.msi
MD5:
SHA256:
6060msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:1EA8E6174AA9FA31D4E99078276E8F0D
SHA256:4AE33AC6D52803907BA7CF12AAC3EABA91143D2A50BDF9C8630BD706AADEC748
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\teleportto.luatext
MD5:6F9AFF06C0F98D0410365578D2AD1DFB
SHA256:02BDF1C9CFACE7C7F710B4B538673B14B39BC824B1DB4EA4EC6376DD000535B4
6060msiexec.exeC:\Program Files\JJSploit\JJSploit.exeexecutable
MD5:281A79ABB33F10B3F9C6C40C0E165CC3
SHA256:30F840BE1B9249D22C6BDC943D6901EE8723284770BE1B7E18EA12A844D91F77
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.luatext
MD5:00BC897C4BCBDF5660C3B1F703602F0B
SHA256:A477FFE6D4C769E2E859417AF43ED4E21107E174DF8274BC9487963659462F31
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\infinitejump.luabinary
MD5:F13B9AD3F7D7EB0827D189699D50490C
SHA256:E81510EB4EE69A72D9087DEFD412453C0C63D2772CAC3749757B842FB126E435
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\noclip.luatext
MD5:D6A6EE15AE62C9922EBFA6DB81263288
SHA256:9F4EFC279D94977F92BD52165DFDA141A43AFF9149E044ED44742F7EF39CFE4F
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.luabinary
MD5:76D6BC545A92D108FF8A18614A5DB4AD
SHA256:A7931EE89662C563637E1752228923D182F42F3A70286D4FD0A1FFF993C9766D
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\chattroll.luabinary
MD5:E1B50885CBA14899315B8BD4EA19A3DA
SHA256:E319DBE0926EF8DB1854E6481C5FA02EA71ABDFE0A0CBEF0656B4C441E0B22E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
63
DNS requests
64
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1684
svchost.exe
GET
200
88.221.218.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.218.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
88.221.218.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
1684
svchost.exe
GET
200
2.21.137.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.21.137.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
2.21.137.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
6484
svchost.exe
HEAD
200
217.20.57.35:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0f6a6dd3-0b22-4e78-b04f-60494eb4c4e8?P1=1734808471&P2=404&P3=2&P4=ndTTMbZXdav%2bv%2frp1M8RU4E0jTEMIwVfbZxKaqj9%2brpmPoliO0MeGNJbP0zOUlDvFhoQZLMEwXDO04lbL9QOFw%3d%3d
US
whitelisted
6484
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0529a13c-ea24-474d-87d7-66f668b071b4?P1=1734763650&P2=404&P3=2&P4=Y2HHuJj2podPu7W43uri1SCiuD7rpBIpFZCifAIRYHnC1moxG3szqlh0XeBlXqv64LN4x%2bX2K6eUKIf%2fs0gBhw%3d%3d
US
whitelisted
6484
svchost.exe
GET
200
217.20.57.35:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0f6a6dd3-0b22-4e78-b04f-60494eb4c4e8?P1=1734808471&P2=404&P3=2&P4=ndTTMbZXdav%2bv%2frp1M8RU4E0jTEMIwVfbZxKaqj9%2brpmPoliO0MeGNJbP0zOUlDvFhoQZLMEwXDO04lbL9QOFw%3d%3d
US
executable
168 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.21.245.29:443
www.bing.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.218.99:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1684
svchost.exe
88.221.218.99:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
88.221.218.99:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
2.21.137.121:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1684
svchost.exe
2.21.137.121:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.21.137.121:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.251.143.46
whitelisted
www.bing.com
  • 2.21.245.29
whitelisted
crl.microsoft.com
  • 88.221.218.99
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 2.21.137.121
whitelisted
go.microsoft.com
  • 2.16.194.83
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.21.245.147
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 4.151.228.221
whitelisted

Threats

PID
Process
Class
Message
6484
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2600
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2600
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2600
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7156
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7156
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7156
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.wearedevs directory exists )
JJSploit.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.wearedevs\EBWebView directory exists )
JJSploit.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_8.10.14_x64_en-US.msi