File name:

JJsploit.exe

Full analysis: https://app.any.run/tasks/35f6ca51-36c3-488f-b0f2-75e9c02c670e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 20, 2025, 03:27:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
ms-smartcard
loader
salatstealer
upx
golang
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

11F7D2D52ECF38666FC67AECD94320EA

SHA1:

C2A1B7241FAFEF5111388A4B3715050B2A9E2F2F

SHA256:

75A899B8BC1661DE26349D22F4C1A5AC0449C92B68FE2EC43A45DAC361217548

SSDEEP:

98304:TI33+AgrBSAyBUR1CZet7at+HcuKf9b1v8Fw/78J8/3YCCPmlDQ3wIurAgpZ+jFZ:8UIAFgz0vMRNh4ozHLvFn8T+oL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • MoUsoCoreWorker.exe (PID: 1272)

    • Steals credentials from Web Browsers

      • MoUsoCoreWorker.exe (PID: 1272)

    • UAC/LUA settings modification

      • powershell.exe (PID: 5640)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8140)

    • SALATSTEALER has been detected (YARA)

      • MoUsoCoreWorker.exe (PID: 1272)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 1348)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • JJsploit.exe (PID: 920)
      • roblox.exe (PID: 6560)
      • MoUsoCoreWorker.exe (PID: 1272)
      • powershell.exe (PID: 8140)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Reads the date of Windows installation

      • JJsploit.exe (PID: 920)

    • Reads security settings of Internet Explorer

      • JJsploit.exe (PID: 920)
      • roblox.exe (PID: 4896)
      • ShellExperienceHost.exe (PID: 7596)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Application launched itself

      • roblox.exe (PID: 4896)

    • Starts itself from another location

      • roblox.exe (PID: 6560)
      • MoUsoCoreWorker.exe (PID: 1272)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Starts POWERSHELL.EXE for commands execution

      • MoUsoCoreWorker.exe (PID: 1272)
      • msiexec.exe (PID: 5508)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7292)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 5640)

    • Modifies hosts file to alter network resolution

      • powershell.exe (PID: 5640)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5508)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 5508)

    • Starts process via Powershell

      • powershell.exe (PID: 8140)

    • Manipulates environment variables

      • powershell.exe (PID: 8140)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 8140)

    • There is functionality for taking screenshot (YARA)

      • MoUsoCoreWorker.exe (PID: 1272)

    • Multiple wallet extension IDs have been found

      • MoUsoCoreWorker.exe (PID: 1272)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8140)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 8140)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6760)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2344)
      • MicrosoftEdgeUpdate.exe (PID: 4784)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4652)

    • The process creates files with name similar to system file names

      • roblox.exe (PID: 6560)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 5508)
      • JJsploit.exe (PID: 920)
      • roblox.exe (PID: 4896)
      • msiexec.exe (PID: 2516)
      • MoUsoCoreWorker.exe (PID: 1272)
      • MoUsoCoreWorker.exe (PID: 2152)
      • MoUsoCoreWorker.exe (PID: 2152)
      • ShellExperienceHost.exe (PID: 7596)
      • MicrosoftEdgeUpdate.exe (PID: 1348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2344)
      • MicrosoftEdgeUpdate.exe (PID: 4784)
      • roblox.exe (PID: 6560)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6760)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4652)
      • MicrosoftEdgeUpdate.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 7996)
      • MicrosoftEdgeUpdateCore.exe (PID: 8088)
      • MicrosoftEdgeUpdate.exe (PID: 7816)
      • MicrosoftEdgeUpdate.exe (PID: 8072)

    • Process checks computer location settings

      • JJsploit.exe (PID: 920)
      • roblox.exe (PID: 4896)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Reads the machine GUID from the registry

      • roblox.exe (PID: 4896)
      • JJsploit.exe (PID: 920)
      • roblox.exe (PID: 6560)
      • MoUsoCoreWorker.exe (PID: 1272)
      • MoUsoCoreWorker.exe (PID: 2152)
      • MoUsoCoreWorker.exe (PID: 2152)
      • MicrosoftEdgeUpdate.exe (PID: 7996)
      • MicrosoftEdgeUpdate.exe (PID: 4008)

    • Reads Microsoft Office registry keys

      • JJsploit.exe (PID: 920)

    • Create files in a temporary directory

      • JJsploit.exe (PID: 920)
      • MoUsoCoreWorker.exe (PID: 1272)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Checks supported languages

      • JJsploit.exe (PID: 920)
      • roblox.exe (PID: 4896)
      • msiexec.exe (PID: 5508)
      • msiexec.exe (PID: 2516)
      • MoUsoCoreWorker.exe (PID: 1272)
      • MoUsoCoreWorker.exe (PID: 2152)
      • MoUsoCoreWorker.exe (PID: 2152)
      • ShellExperienceHost.exe (PID: 7596)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 4784)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2344)
      • MicrosoftEdgeUpdate.exe (PID: 1348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6760)
      • roblox.exe (PID: 6560)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4652)
      • MicrosoftEdgeUpdate.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 7996)
      • MicrosoftEdgeUpdateCore.exe (PID: 8088)
      • MicrosoftEdgeUpdate.exe (PID: 8072)
      • MicrosoftEdgeUpdate.exe (PID: 7816)

    • Creates files in the program directory

      • roblox.exe (PID: 6560)
      • MoUsoCoreWorker.exe (PID: 1272)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5800)
      • msiexec.exe (PID: 5508)

    • Creates files or folders in the user directory

      • roblox.exe (PID: 6560)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • MoUsoCoreWorker.exe (PID: 1272)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 5640)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5640)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5640)

    • Manages system restore points

      • SrTasks.exe (PID: 8016)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5508)

    • Detects GO elliptic curve encryption (YARA)

      • MoUsoCoreWorker.exe (PID: 1272)

    • Application based on Golang

      • MoUsoCoreWorker.exe (PID: 1272)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • MoUsoCoreWorker.exe (PID: 1272)

    • UPX packer has been detected

      • MoUsoCoreWorker.exe (PID: 1272)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • MoUsoCoreWorker.exe (PID: 1272)

    • Checks proxy server information

      • powershell.exe (PID: 8140)
      • MicrosoftEdgeUpdate.exe (PID: 7996)
      • MicrosoftEdgeUpdate.exe (PID: 4008)
      • slui.exe (PID: 5544)

    • The sample compiled with english language support

      • powershell.exe (PID: 8140)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)
      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 7688)

    • Disables trace logs

      • powershell.exe (PID: 8140)

    • Autorun file from Registry key

      • MicrosoftEdgeUpdate.exe (PID: 1348)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 4008)

    • Manual execution by a user

      • MicrosoftEdgeUpdateCore.exe (PID: 8088)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 4008)
      • MicrosoftEdgeUpdate.exe (PID: 7996)
      • slui.exe (PID: 5544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:07 17:29:08+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 11
CodeSize: 9640960
InitializedDataSize: 24064
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: JJsploit.exe
LegalCopyright:
OriginalFileName: JJsploit.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
29
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start jjsploit.exe roblox.exe no specs msiexec.exe msiexec.exe roblox.exe msiexec.exe no specs #SALATSTEALER mousocoreworker.exe powershell.exe no specs conhost.exe no specs mousocoreworker.exe no specs mousocoreworker.exe no specs vssvc.exe no specs shellexperiencehost.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs slui.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdatecore.exe no specs microsoftedgeupdate.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Users\admin\Desktop\JJsploit.exe" C:\Users\admin\Desktop\JJsploit.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\jjsploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1272C:\Users\admin\AppData\Local\PeerDistRepub\MoUsoCoreWorker.exeC:\Users\admin\AppData\Local\PeerDistRepub\MoUsoCoreWorker.exe
roblox.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\peerdistrepub\mousocoreworker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
1348C:\Users\admin\AppData\Local\Temp\EUB207.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EUB207.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\temp\eub207.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2152"C:\Program Files\Google\Chrome\Application\MoUsoCoreWorker.exe" -C:\Program Files\Google\Chrome\Application\MoUsoCoreWorker.exeMoUsoCoreWorker.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\google\chrome\application\mousocoreworker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
2152"C:\Program Files (x86)\Microsoft\Edge\Application\MoUsoCoreWorker.exe" -C:\Program Files (x86)\Microsoft\Edge\Application\MoUsoCoreWorker.exeMoUsoCoreWorker.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\microsoft\edge\application\mousocoreworker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
2344"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.45\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2516C:\Windows\syswow64\MsiExec.exe -Embedding F3FDD0EDC8E291D8868C18B946700CAC CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4008"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDUiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7OTc5RjE5NTctNzRDNS00NkJGLTlFREItNzNFMzBGQTEwODQzfSIgdXNlcmlkPSJ7NEVCOTQ2QTgtRUQxOS00MTk4LUFCQjYtN0M3MzgwRUU2RDk3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4QUQ1NjExMS01NDQ0LTREOTQtODZDRS00ODNCRDgxNjZDRkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAyOTUwMTA0ODUiIGluc3RhbGxfdGltZV9tcz0iNTE2Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4652"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.45\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4784"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
Total events
33 447
Read events
30 603
Write events
2 801
Delete events
43

Modification events

(PID) Process:(920) JJsploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:writeName:Msi.Package
Value:
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000009E604E1A4899DB01841500006C1C0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000009E604E1A4899DB01841500006C1C0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000009581A31A4899DB01841500006C1C0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000384BA81A4899DB01841500006C1C0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000DC1DA11A4899DB01841500006C1C0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000DC1DA11A4899DB01841500006C1C0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000F2E71A1B4899DB01841500006C1C0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000E3B01F1B4899DB0184150000E81C0000E803000001000000000000000000000074968B6A041FF54B87BDBB2E1C25A73800000000000000000000000000000000
Executable files
209
Suspicious files
21
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
920JJsploit.exeC:\Users\admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US.msi
MD5:
SHA256:
5508msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5508msiexec.exeC:\Windows\Installer\1146f9.msi
MD5:
SHA256:
5640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_btbfex3u.yjv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1272MoUsoCoreWorker.exeC:\Program Files (x86)\Microsoft\Edge\Application\MoUsoCoreWorker.exeexecutable
MD5:EA820228D8BEB3E23DD2B1029BC6DAE3
SHA256:342B8023F4296B359E4A0183DE9F420529E2CC6DBFAE2A68D5F895406452CCE9
920JJsploit.exeC:\Users\admin\AppData\Local\Temp\roblox.exeexecutable
MD5:EA820228D8BEB3E23DD2B1029BC6DAE3
SHA256:342B8023F4296B359E4A0183DE9F420529E2CC6DBFAE2A68D5F895406452CCE9
1272MoUsoCoreWorker.exeC:\Program Files\Google\Chrome\Application\MoUsoCoreWorker.exeexecutable
MD5:EA820228D8BEB3E23DD2B1029BC6DAE3
SHA256:342B8023F4296B359E4A0183DE9F420529E2CC6DBFAE2A68D5F895406452CCE9
5800msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEBD9.tmpexecutable
MD5:CFBB8568BD3711A97E6124C56FCFA8D9
SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC
5640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xa2z5ceb.exn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f41myknb.504.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
38
DNS requests
10
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
301
23.35.229.160:443
https://go.microsoft.com/fwlink/p/?LinkId=2124703
unknown
7940
svchost.exe
HEAD
200
217.20.57.35:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5b6c6265-354c-4eb9-aa33-dac7d89ddebd?P1=1743046136&P2=404&P3=2&P4=BZryTKuScsAhkZSWgCP7eQ9jqBC9OrXvq0zjsFX7UBdf1wl%2fDvKXd5egRgWWlNL5hT5hV1H2yZHTqZi4xw78fg%3d%3d
unknown
whitelisted
7940
svchost.exe
GET
217.20.57.35:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5b6c6265-354c-4eb9-aa33-dac7d89ddebd?P1=1743046136&P2=404&P3=2&P4=BZryTKuScsAhkZSWgCP7eQ9jqBC9OrXvq0zjsFX7UBdf1wl%2fDvKXd5egRgWWlNL5hT5hV1H2yZHTqZi4xw78fg%3d%3d
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.45?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.45&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.45&requestOmahaVersion=1.3.195.45
unknown
binary
234 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
52.252.28.242:443
https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates
unknown
text
103 b
whitelisted
POST
200
52.252.28.242:443
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/134.0.3124.72/files?action=GenerateDownloadInfo&foregroundPriority=true
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
23.48.23.55:443
https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/87e36ef6-ce52-4421-8abd-7cae0a41ec7f/MicrosoftEdgeWebview2Setup.exe
unknown
executable
1.56 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6560
roblox.exe
1.1.1.1:443
malicious
6560
roblox.exe
188.114.96.6:443
unknown
1272
MoUsoCoreWorker.exe
1.1.1.1:443
malicious
1272
MoUsoCoreWorker.exe
188.114.96.6:443
unknown
8140
powershell.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
8140
powershell.exe
23.48.23.55:443
msedge.sf.dl.delivery.mp.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.206
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 23.48.23.55
  • 23.48.23.14
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 172.169.87.222
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 217.20.57.35
  • 84.201.210.39
  • 217.20.57.34
  • 84.201.210.23
  • 217.20.57.20
  • 217.20.57.19
  • 217.20.57.36
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
Misc activity
ET INFO Packed Executable Download
7940
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJsploit.exe