File name:

JJSploit_8.10.14_x64_en-US.msi

Full analysis: https://app.any.run/tasks/c2a78068-8c52-4d58-9e5a-0a783f82306c
Verdict: Malicious activity
Analysis date: December 22, 2024, 11:59:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: x64;0, Revision Number: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}, Create Time/Date: Sun Nov 17 18:07:42 2024, Last Saved Time/Date: Sun Nov 17 18:07:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

9A5E4420FD429B7444E7F02B2B52D0BC

SHA1:

056E5AC7EF1334698F4337435985A2D6A52AE059

SHA256:

44EF9C095FDC078CAD8648BC9EC75F744D2C72229EE427EAC65FBC1859E57172

SSDEEP:

98304:SEGR+Uio9dIBZX+JmT9CnGBKylVdlfkD3KHag2oZ7eljaj4y9lyDVOgupN5gE7l3:fl0HSa1Ar

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1740)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6804)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 7048)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6348)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6348)

    • Manipulates environment variables

      • powershell.exe (PID: 1740)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1740)

    • Starts process via Powershell

      • powershell.exe (PID: 1740)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6348)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1740)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6824)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6932)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 1792)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6236)
      • msiexec.exe (PID: 6348)

    • An automatically generated document

      • msiexec.exe (PID: 6236)

    • Reads the computer name

      • msiexec.exe (PID: 6992)
      • msiexec.exe (PID: 6348)
      • MicrosoftEdgeUpdate.exe (PID: 6804)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6824)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6932)
      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 2012)
      • MicrosoftEdgeUpdate.exe (PID: 6984)

    • Checks supported languages

      • msiexec.exe (PID: 6348)
      • msiexec.exe (PID: 6992)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6824)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6932)
      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 2012)
      • MicrosoftEdgeUpdate.exe (PID: 6984)

    • Manages system restore points

      • SrTasks.exe (PID: 4640)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6348)

    • Checks proxy server information

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 6984)

    • Disables trace logs

      • powershell.exe (PID: 1740)

    • The sample compiled with english language support

      • powershell.exe (PID: 1740)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • The process uses the downloaded file

      • powershell.exe (PID: 1740)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5556)
      • svchost.exe (PID: 1792)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 6880)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6804)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 6880)
      • MicrosoftEdgeUpdate.exe (PID: 6984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: x64;0
RevisionNumber: {29FDB81A-9E7C-4745-9E3D-FDA8868D323C}
CreateDate: 2024:11:17 18:07:42
ModifyDate: 2024:11:17 18:07:42
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
18
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1792C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2012"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{5EB00F79-D06E-4BA6-8D2D-090D0A886CCD}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2092"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4640C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5556"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6236"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\JJSploit_8.10.14_x64_en-US.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6348C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
12 373
Read events
11 435
Write events
895
Delete events
43

Modification events

(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000002206D066954DB01CC180000781B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000031D471066954DB01CC180000781B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000066EA27066954DB01CC180000781B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000066EA27066954DB01CC180000781B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000D85768066954DB01CC180000781B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000D85768066954DB01CC180000781B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6348) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7048) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D989FE066954DB01881B0000A41B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7048) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D989FE066954DB01881B0000D8180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7048) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000005FED00076954DB01881B0000A81B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
204
Suspicious files
20
Text files
20
Unknown types
1

Dropped files

PID
Process
Filename
Type
6348msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6348msiexec.exeC:\Windows\Installer\13d3dd.msi
MD5:
SHA256:
6236msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI952F.tmpexecutable
MD5:CFBB8568BD3711A97E6124C56FCFA8D9
SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\chattroll.luabinary
MD5:E1B50885CBA14899315B8BD4EA19A3DA
SHA256:E319DBE0926EF8DB1854E6481C5FA02EA71ABDFE0A0CBEF0656B4C441E0B22E8
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\tptool.luabinary
MD5:78990037F24311727092F08334ACE6E0
SHA256:17BDAD5A7E4910982519F219B1E40525F4F5B2E4C55224E491A13CE4D98CA60C
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\teleportto.luatext
MD5:6F9AFF06C0F98D0410365578D2AD1DFB
SHA256:02BDF1C9CFACE7C7F710B4B538673B14B39BC824B1DB4EA4EC6376DD000535B4
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\animations\jumpland.luatext
MD5:2899EC217AEF73B127C9328785012EEF
SHA256:7D4CA7B02C90B0B21D64C2BAA6E5940DCCE895DB5BC125D0E993A5A883186721
6348msiexec.exeC:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.luatext
MD5:00BC897C4BCBDF5660C3B1F703602F0B
SHA256:A477FFE6D4C769E2E859417AF43ED4E21107E174DF8274BC9487963659462F31
6348msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:5C417C2C2F226EDEF61A6FC48DF815BE
SHA256:22D6FFF585A9236658B0A86BF4F4D9CC905AD84F33D6F8AD3EEFA11D83925077
6348msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{46eb229e-5d1a-47fc-9570-3ad40703a7c1}_OnDiskSnapshotPropbinary
MD5:5C417C2C2F226EDEF61A6FC48DF815BE
SHA256:22D6FFF585A9236658B0A86BF4F4D9CC905AD84F33D6F8AD3EEFA11D83925077
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
39
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5432
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5432
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5536
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5536
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1792
svchost.exe
HEAD
200
2.22.242.227:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735473625&P2=404&P3=2&P4=OfABqrTjw6OuvjzNmWa0vsnx6mlpKfSTI2j5xhpr7%2bP2dsPJicHZwbICIqZCp5qhTG%2fjwCQMfeUL8LY8ohCtYQ%3d%3d
unknown
whitelisted
1792
svchost.exe
GET
2.22.242.227:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735473625&P2=404&P3=2&P4=OfABqrTjw6OuvjzNmWa0vsnx6mlpKfSTI2j5xhpr7%2bP2dsPJicHZwbICIqZCp5qhTG%2fjwCQMfeUL8LY8ohCtYQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4536
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5064
SearchApp.exe
2.21.110.139:443
www.bing.com
AKAMAI-AS
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.38.73.129
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.21.110.139
  • 2.21.110.146
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.174
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
1792
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_8.10.14_x64_en-US.msi