File name:

JJSploit_8.10.14_x64_en-US.msi

Full analysis: https://app.any.run/tasks/c2a78068-8c52-4d58-9e5a-0a783f82306c
Verdict: Malicious activity
Analysis date: December 22, 2024, 11:59:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: x64;0, Revision Number: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}, Create Time/Date: Sun Nov 17 18:07:42 2024, Last Saved Time/Date: Sun Nov 17 18:07:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

9A5E4420FD429B7444E7F02B2B52D0BC

SHA1:

056E5AC7EF1334698F4337435985A2D6A52AE059

SHA256:

44EF9C095FDC078CAD8648BC9EC75F744D2C72229EE427EAC65FBC1859E57172

SSDEEP:

98304:SEGR+Uio9dIBZX+JmT9CnGBKylVdlfkD3KHag2oZ7eljaj4y9lyDVOgupN5gE7l3:fl0HSa1Ar

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1740)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6804)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 7048)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6348)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6348)

    • Manipulates environment variables

      • powershell.exe (PID: 1740)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1740)

    • Starts process via Powershell

      • powershell.exe (PID: 1740)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1740)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6348)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6824)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6932)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 1792)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6236)

    • Reads the computer name

      • msiexec.exe (PID: 6348)
      • msiexec.exe (PID: 6992)
      • MicrosoftEdgeUpdate.exe (PID: 6804)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6824)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6932)
      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdate.exe (PID: 6984)
      • MicrosoftEdgeUpdate.exe (PID: 2012)

    • Checks supported languages

      • msiexec.exe (PID: 6992)
      • msiexec.exe (PID: 6348)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6824)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6932)
      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 2012)
      • MicrosoftEdgeUpdate.exe (PID: 6984)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6236)
      • msiexec.exe (PID: 6348)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6348)

    • Manages system restore points

      • SrTasks.exe (PID: 4640)

    • Checks proxy server information

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeUpdate.exe (PID: 6984)
      • MicrosoftEdgeUpdate.exe (PID: 6880)

    • Disables trace logs

      • powershell.exe (PID: 1740)

    • The sample compiled with english language support

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • The process uses the downloaded file

      • powershell.exe (PID: 1740)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • svchost.exe (PID: 1792)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 6880)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 6984)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: x64;0
RevisionNumber: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}
CreateDate: 2024:11:17 18:07:42
ModifyDate: 2024:11:17 18:07:42
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
18
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1792C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2012"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{5EB00F79-D06E-4BA6-8D2D-090D0A886CCD}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2092"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4640C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5556"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6236"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\JJSploit_8.10.14_x64_en-US.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6348C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
12 373
Read events
11 435
Write events
895
Delete events
43

Modification events

(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000002206D066954DB01CC180000781B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000031D471066954DB01CC180000781B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000066EA27066954DB01CC180000781B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000066EA27066954DB01CC180000781B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000D85768066954DB01CC180000781B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000D85768066954DB01CC180000781B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7048) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D989FE066954DB01881B0000A41B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7048) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D989FE066954DB01881B0000D8180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7048) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000005FED00076954DB01881B0000A81B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
204
Suspicious files
20
Text files
20
Unknown types
1

Dropped files

PID
Process
Filename
Type
6348msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6348msiexec.exeC:\Windows\Installer\13d3dd.msi
MD5:
SHA256:
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\animations\dab.luatext
MD5:EE91641376E1217DE57AD17EA74DA5CB
SHA256:EFD5E7407C3FC69338237D3C9686596F78BB5FE3181ED10640EFAD5839F6112A
6348msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:5C417C2C2F226EDEF61A6FC48DF815BE
SHA256:22D6FFF585A9236658B0A86BF4F4D9CC905AD84F33D6F8AD3EEFA11D83925077
6348msiexec.exeC:\Windows\Temp\~DF45BD7FA0F5A91CDA.TMPbinary
MD5:8E5099404A3D20A71E007CD111D98509
SHA256:A86330DF8B30783EDF912FC15705DDC4921BCE7B1143905481614E18C7E33091
6348msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{46eb229e-5d1a-47fc-9570-3ad40703a7c1}_OnDiskSnapshotPropbinary
MD5:5C417C2C2F226EDEF61A6FC48DF815BE
SHA256:22D6FFF585A9236658B0A86BF4F4D9CC905AD84F33D6F8AD3EEFA11D83925077
6348msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:8E5099404A3D20A71E007CD111D98509
SHA256:A86330DF8B30783EDF912FC15705DDC4921BCE7B1143905481614E18C7E33091
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\god.luatext
MD5:121A9CE65D07175515C986D40502F1A5
SHA256:DBFBB0B80576AA03C66CA23D4510C5B5EB33FCA8AB2031BE75556073230DE323
6348msiexec.exeC:\Program Files\JJSploit\JJSploit.exeexecutable
MD5:281A79ABB33F10B3F9C6C40C0E165CC3
SHA256:30F840BE1B9249D22C6BDC943D6901EE8723284770BE1B7E18EA12A844D91F77
6348msiexec.exeC:\Windows\Installer\MSID7F4.tmpbinary
MD5:A9453F32FB05D3B7CB5AB88DCFE5E509
SHA256:9E4F65BC50DF71EDA076C31F45545C38F79683F03C617F911B1C85FB59435036
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
39
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5432
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5432
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5536
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5536
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1792
svchost.exe
HEAD
200
2.22.242.227:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735473625&P2=404&P3=2&P4=OfABqrTjw6OuvjzNmWa0vsnx6mlpKfSTI2j5xhpr7%2bP2dsPJicHZwbICIqZCp5qhTG%2fjwCQMfeUL8LY8ohCtYQ%3d%3d
unknown
whitelisted
1792
svchost.exe
GET
2.22.242.227:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735473625&P2=404&P3=2&P4=OfABqrTjw6OuvjzNmWa0vsnx6mlpKfSTI2j5xhpr7%2bP2dsPJicHZwbICIqZCp5qhTG%2fjwCQMfeUL8LY8ohCtYQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4536
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5064
SearchApp.exe
2.21.110.139:443
www.bing.com
AKAMAI-AS
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.38.73.129
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.21.110.139
  • 2.21.110.146
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.174
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
1792
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_8.10.14_x64_en-US.msi