File name:

JJSploit_8.10.14_x64_en-US.msi

Full analysis: https://app.any.run/tasks/2aa7037a-20c2-40c2-90b9-6b3dd014427b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 19:13:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
github
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: x64;0, Revision Number: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}, Create Time/Date: Sun Nov 17 18:07:42 2024, Last Saved Time/Date: Sun Nov 17 18:07:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

9A5E4420FD429B7444E7F02B2B52D0BC

SHA1:

056E5AC7EF1334698F4337435985A2D6A52AE059

SHA256:

44EF9C095FDC078CAD8648BC9EC75F744D2C72229EE427EAC65FBC1859E57172

SSDEEP:

98304:SEGR+Uio9dIBZX+JmT9CnGBKylVdlfkD3KHag2oZ7eljaj4y9lyDVOgupN5gE7l3:fl0HSa1Ar

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7080)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 1804)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 2076)
      • msedgewebview2.exe (PID: 1412)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 5392)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6660)

    • Starts process via Powershell

      • powershell.exe (PID: 7080)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6060)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6060)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6060)

    • Manipulates environment variables

      • powershell.exe (PID: 7080)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7080)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7080)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • JJSploit.exe (PID: 6972)
      • setup.exe (PID: 4164)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 1804)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3364)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5076)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5096)
      • MicrosoftEdgeUpdate.exe (PID: 3544)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • msiexec.exe (PID: 6604)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6484)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 3208)

    • Application launched itself

      • setup.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5520)

    • Creates a software uninstall entry

      • setup.exe (PID: 4164)

    • Searches for installed software

      • setup.exe (PID: 4164)
      • msedgewebview2.exe (PID: 5392)

    • The process checks if it is being run in the virtual environment

      • JJSploit.exe (PID: 6972)
      • JJSploit.exe (PID: 5964)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 6060)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3544)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3364)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • msiexec.exe (PID: 6604)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • setup.exe (PID: 4968)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 6204)
      • msedgewebview2.exe (PID: 2600)
      • msedgewebview2.exe (PID: 2076)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5096)
      • msedgewebview2.exe (PID: 2292)
      • msedgewebview2.exe (PID: 6240)
      • msedgewebview2.exe (PID: 3080)
      • JJSploit.exe (PID: 5964)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 4872)
      • msedgewebview2.exe (PID: 1412)
      • msedgewebview2.exe (PID: 7156)
      • msedgewebview2.exe (PID: 7084)
      • msedgewebview2.exe (PID: 1540)

    • Reads the computer name

      • msiexec.exe (PID: 6060)
      • msiexec.exe (PID: 6604)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3364)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 3544)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5096)
      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 6280)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 2076)
      • msedgewebview2.exe (PID: 2600)
      • JJSploit.exe (PID: 5964)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 7156)
      • msedgewebview2.exe (PID: 1412)

    • An automatically generated document

      • msiexec.exe (PID: 4392)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4392)
      • msiexec.exe (PID: 6060)

    • Manages system restore points

      • SrTasks.exe (PID: 6948)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6060)

    • Disables trace logs

      • powershell.exe (PID: 7080)

    • Checks proxy server information

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5520)
      • JJSploit.exe (PID: 5964)

    • The sample compiled with english language support

      • powershell.exe (PID: 7080)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • svchost.exe (PID: 6484)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • JJSploit.exe (PID: 6972)

    • The process uses the downloaded file

      • powershell.exe (PID: 7080)
      • msiexec.exe (PID: 6604)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)

    • Create files in a temporary directory

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • svchost.exe (PID: 6484)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5308)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdge_X64_131.0.2903.99.exe (PID: 2572)
      • setup.exe (PID: 4968)
      • setup.exe (PID: 4164)
      • msedgewebview2.exe (PID: 6204)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 2600)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 7156)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 1804)
      • msiexec.exe (PID: 6604)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 6240)
      • msedgewebview2.exe (PID: 5520)
      • msedgewebview2.exe (PID: 1540)
      • setup.exe (PID: 4164)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 5320)
      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • MicrosoftEdgeUpdate.exe (PID: 4840)
      • JJSploit.exe (PID: 6972)
      • JJSploit.exe (PID: 5964)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 3208)
      • msedgewebview2.exe (PID: 5392)
      • msedgewebview2.exe (PID: 5520)

    • Sends debugging messages

      • msedgewebview2.exe (PID: 5392)
      • JJSploit.exe (PID: 6972)
      • msedgewebview2.exe (PID: 5520)
      • JJSploit.exe (PID: 5964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: x64;0
RevisionNumber: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}
CreateDate: 2024:11:17 18:07:42
ModifyDate: 2024:11:17 18:07:42
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
37
Malicious processes
15
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe microsoftedge_x64_131.0.2903.99.exe setup.exe setup.exe no specs microsoftedgeupdate.exe jjsploit.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs jjsploit.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,5487833063467030404,13199611563079697893,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1856 /prefetch:2C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1540"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3552,i,5487833063467030404,13199611563079697893,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804C:\Users\admin\AppData\Local\Temp\EUD98B.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EUD98B.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.39
Modules
Images
c:\users\admin\appdata\local\temp\eud98b.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2076"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1872,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1868 /prefetch:2C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2292"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2424,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2572"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{252FD92B-4F3B-43B5-AE48-A78AC2FFFC17}\MicrosoftEdge_X64_131.0.2903.99.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{252FD92B-4F3B-43B5-AE48-A78AC2FFFC17}\MicrosoftEdge_X64_131.0.2903.99.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{252fd92b-4f3b-43b5-ae48-a78ac2fffc17}\microsoftedge_x64_131.0.2903.99.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
2600"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2120,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3080"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4476,i,5605703505999822703,11228173509255923462,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.99
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.99\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3208"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3364"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
29 513
Read events
24 718
Write events
4 710
Delete events
85

Modification events

(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000003FEC97575C4EDB01AC170000F4190000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000003FEC97575C4EDB01AC170000F4190000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000014159F575C4EDB01AC170000F4190000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000462B55575C4EDB01AC170000F4190000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000462B55575C4EDB01AC170000F4190000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000BF629A575C4EDB01AC170000F4190000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6060) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000AF8311585C4EDB01AC170000F4190000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6660) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000017CB1F585C4EDB01041A0000241A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6660) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000017CB1F585C4EDB01041A0000201A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6660) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000017CB1F585C4EDB01041A0000801A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
227
Suspicious files
187
Text files
64
Unknown types
26

Dropped files

PID
Process
Filename
Type
6060msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6060msiexec.exeC:\Windows\Installer\13b9dd.msi
MD5:
SHA256:
6060msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:1EA8E6174AA9FA31D4E99078276E8F0D
SHA256:4AE33AC6D52803907BA7CF12AAC3EABA91143D2A50BDF9C8630BD706AADEC748
6060msiexec.exeC:\Windows\Installer\MSIBD67.tmpbinary
MD5:B1F7B7EB573FAD3D9D811003F71E0C15
SHA256:FDA864B9923EE823A37870A6DD6C3F00487FF341C56176A8485D8A044EF1AF8C
6060msiexec.exeC:\Windows\Temp\~DF29E47F781ABA9FC6.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6060msiexec.exeC:\Program Files\JJSploit\JJSploit.exeexecutable
MD5:281A79ABB33F10B3F9C6C40C0E165CC3
SHA256:30F840BE1B9249D22C6BDC943D6901EE8723284770BE1B7E18EA12A844D91F77
6060msiexec.exeC:\Windows\Temp\~DF8545D901751388EA.TMPbinary
MD5:B3693661AE8B2F15EEBE017B944E1C30
SHA256:60C4560980C4AE9360CBA77640F6471765860BC6C1CE22D7AE55A282A614412A
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\animations\dab.luatext
MD5:EE91641376E1217DE57AD17EA74DA5CB
SHA256:EFD5E7407C3FC69338237D3C9686596F78BB5FE3181ED10640EFAD5839F6112A
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\animations\energizegui.luatext
MD5:70B51C18FBF11B73271E552FBB224396
SHA256:7E7579AC512265FC6508B7B4D025EE923BCA7F23937ED10F41BEFDC440C28761
6060msiexec.exeC:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.luabinary
MD5:76D6BC545A92D108FF8A18614A5DB4AD
SHA256:A7931EE89662C563637E1752228923D182F42F3A70286D4FD0A1FFF993C9766D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
63
DNS requests
64
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.218.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.218.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1684
svchost.exe
GET
200
88.221.218.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.21.137.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1684
svchost.exe
GET
200
2.21.137.121:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6484
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0529a13c-ea24-474d-87d7-66f668b071b4?P1=1734763650&P2=404&P3=2&P4=Y2HHuJj2podPu7W43uri1SCiuD7rpBIpFZCifAIRYHnC1moxG3szqlh0XeBlXqv64LN4x%2bX2K6eUKIf%2fs0gBhw%3d%3d
unknown
whitelisted
6484
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0529a13c-ea24-474d-87d7-66f668b071b4?P1=1734763650&P2=404&P3=2&P4=Y2HHuJj2podPu7W43uri1SCiuD7rpBIpFZCifAIRYHnC1moxG3szqlh0XeBlXqv64LN4x%2bX2K6eUKIf%2fs0gBhw%3d%3d
unknown
whitelisted
6484
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0529a13c-ea24-474d-87d7-66f668b071b4?P1=1734763650&P2=404&P3=2&P4=Y2HHuJj2podPu7W43uri1SCiuD7rpBIpFZCifAIRYHnC1moxG3szqlh0XeBlXqv64LN4x%2bX2K6eUKIf%2fs0gBhw%3d%3d
unknown
whitelisted
6484
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0529a13c-ea24-474d-87d7-66f668b071b4?P1=1734763650&P2=404&P3=2&P4=Y2HHuJj2podPu7W43uri1SCiuD7rpBIpFZCifAIRYHnC1moxG3szqlh0XeBlXqv64LN4x%2bX2K6eUKIf%2fs0gBhw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.21.245.29:443
www.bing.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.218.99:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1684
svchost.exe
88.221.218.99:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
88.221.218.99:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
2.21.137.121:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1684
svchost.exe
2.21.137.121:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.21.137.121:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.251.143.46
whitelisted
www.bing.com
  • 2.21.245.29
whitelisted
crl.microsoft.com
  • 88.221.218.99
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 2.21.137.121
whitelisted
go.microsoft.com
  • 2.16.194.83
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.21.245.147
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 4.151.228.221
whitelisted

Threats

PID
Process
Class
Message
6484
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2600
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2600
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2600
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7156
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7156
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7156
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.wearedevs directory exists )
JJSploit.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.wearedevs\EBWebView directory exists )
JJSploit.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_8.10.14_x64_en-US.msi