File name:

JJsploit_installer.exe

Full analysis: https://app.any.run/tasks/7714763f-ef05-48f4-8451-533765950594
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 02, 2025, 10:33:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

4605C18DCB612FAB6516EF661CE100E4

SHA1:

EA49BB0B0716C649F3DD07593BE49F7E055FBBA3

SHA256:

C75E74F2DAF6FB603616BD89BE4D6564A8BEFED2C328549844C10061E73E8DBF

SSDEEP:

98304:JfLIQ/YQ/sNMLIq5IPg/8PiWDftwFB7TR0khNcU/9EvvRpTMdYlfMDxn1d/evnP+:DR28dW7n+p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WindowsDefender.exe (PID: 7000)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Create files in the Startup directory

      • WindowsDefender.exe (PID: 7000)

    • XWORM has been detected (SURICATA)

      • WindowsDefender.exe (PID: 7000)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6744)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • JJsploit_installer.exe (PID: 6344)

    • Executable content was dropped or overwritten

      • JJsploit_installer.exe (PID: 6344)
      • JJsploit.exe (PID: 6920)
      • powershell.exe (PID: 6744)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Reads security settings of Internet Explorer

      • JJsploit.exe (PID: 6920)
      • JJsploit_installer.exe (PID: 6344)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Reads the date of Windows installation

      • JJsploit.exe (PID: 6920)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7064)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3612)

    • Connects to unusual port

      • WindowsDefender.exe (PID: 7000)

    • Contacting a server suspected of hosting an CnC

      • WindowsDefender.exe (PID: 7000)

    • Starts process via Powershell

      • powershell.exe (PID: 6744)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 7064)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6744)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6744)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Manipulates environment variables

      • powershell.exe (PID: 6744)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 7064)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6744)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6904)
      • MicrosoftEdgeUpdate.exe (PID: 6384)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6984)

  • INFO

    • Checks supported languages

      • JJsploit_installer.exe (PID: 6344)
      • msiexec.exe (PID: 7064)
      • WindowsDefender.exe (PID: 7000)
      • JJsploit.exe (PID: 6920)
      • msiexec.exe (PID: 7120)
      • MicrosoftEdgeUpdate.exe (PID: 6884)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6384)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6904)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6984)
      • MicrosoftEdgeUpdate.exe (PID: 520)
      • MicrosoftEdgeUpdate.exe (PID: 1344)
      • MicrosoftEdgeUpdate.exe (PID: 2624)

    • Create files in a temporary directory

      • JJsploit_installer.exe (PID: 6344)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Process checks computer location settings

      • JJsploit_installer.exe (PID: 6344)
      • JJsploit.exe (PID: 6920)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Reads the computer name

      • JJsploit.exe (PID: 6920)
      • WindowsDefender.exe (PID: 7000)
      • JJsploit_installer.exe (PID: 6344)
      • msiexec.exe (PID: 7064)
      • msiexec.exe (PID: 7120)
      • MicrosoftEdgeUpdate.exe (PID: 6884)
      • MicrosoftEdgeUpdate.exe (PID: 6384)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6904)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6984)
      • MicrosoftEdgeUpdate.exe (PID: 2624)
      • MicrosoftEdgeUpdate.exe (PID: 1344)
      • MicrosoftEdgeUpdate.exe (PID: 520)

    • Reads Microsoft Office registry keys

      • JJsploit.exe (PID: 6920)

    • Reads the machine GUID from the registry

      • WindowsDefender.exe (PID: 7000)
      • JJsploit.exe (PID: 6920)

    • Creates files or folders in the user directory

      • JJsploit.exe (PID: 6920)
      • WindowsDefender.exe (PID: 7000)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6992)
      • msiexec.exe (PID: 7064)

    • Manages system restore points

      • SrTasks.exe (PID: 5532)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7064)

    • Checks proxy server information

      • powershell.exe (PID: 6744)
      • MicrosoftEdgeUpdate.exe (PID: 520)
      • MicrosoftEdgeUpdate.exe (PID: 1344)

    • The sample compiled with english language support

      • powershell.exe (PID: 6744)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)

    • Disables trace logs

      • powershell.exe (PID: 6744)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 520)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1344)
      • MicrosoftEdgeUpdate.exe (PID: 520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:03 07:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 214528
InitializedDataSize: 350720
UninitializedDataSize: -
EntryPoint: 0x21d50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
21
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start jjsploit_installer.exe jjsploit.exe msiexec.exe #XWORM windowsdefender.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs svchost.exe srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
520"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Rjg1RDNFNEEtMDgxOS00N0I4LUJGNTEtQzQyOTczRTFGOUQ5fSIgdXNlcmlkPSJ7QTQyOTZEQTMtRjkyOC00OUJBLTkzMEUtQjNCRjEyOUZEOUY3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNUQ2Rjk5OS04Q0Y5LTRBMzctQjk2Qi0yODU2OEE1MEUxNDh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMyMjAwNjkxMTIiIGluc3RhbGxfdGltZV9tcz0iNTM4Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1344"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1536"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2624"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{F85D3E4A-0819-47B8-BF51-C42973E1F9D9}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3612C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5532C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6344"C:\Users\admin\AppData\Local\Temp\JJsploit_installer.exe" C:\Users\admin\AppData\Local\Temp\JJsploit_installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\jjsploit_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
13 433
Read events
12 844
Write events
546
Delete events
43

Modification events

(PID) Process:(6920) JJsploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:writeName:Msi.Package
Value:
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000FE190AF75D75DB01981B00008C130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000FE190AF75D75DB01981B00008C130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7000) WindowsDefender.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsDefender
Value:
C:\Users\admin\AppData\Roaming\WindowsDefender.exe
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000ED8A5DF75D75DB01981B00008C130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000DC275BF75D75DB01981B00008C130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000DC275BF75D75DB01981B00008C130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000001FB564F75D75DB01981B00008C130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000A8ECDBF75D75DB01981B00008C130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000656FDEF75D75DB01981B000004190000E8030000010000000000000000000000F0DD9CD8C2FE3845B4A5376D812D5B3800000000000000000000000000000000
Executable files
206
Suspicious files
22
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
6920JJsploit.exeC:\Users\admin\AppData\Roaming\JJSploit_8.11.2_x64_en-US.msi
MD5:
SHA256:
7064msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7064msiexec.exeC:\Windows\Installer\13fb7a.msi
MD5:
SHA256:
6344JJsploit_installer.exeC:\Users\admin\AppData\Local\Temp\JJsploit.exeexecutable
MD5:CB242F6D0C2CCF9E517284677A45673E
SHA256:0EB0D60D36C1458C47E2533D51B258789F9ACA2A57B8DFF40C9A025619B71D06
7064msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\noclip.luatext
MD5:D6A6EE15AE62C9922EBFA6DB81263288
SHA256:9F4EFC279D94977F92BD52165DFDA141A43AFF9149E044ED44742F7EF39CFE4F
7064msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{d89cddf0-fec2-4538-b4a5-376d812d5b38}_OnDiskSnapshotPropbinary
MD5:24FEAB74951AD81F58053B75A6DE3602
SHA256:23D10486282F7D3C5F81BD90D0CA206ABD7D9C9C567B80C070AA2E4B6471660B
7064msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:757D484EE8703AF29CEA425142192097
SHA256:46FBE57FF7A1274B2A4EB85C836D2351B838422E12DDC98DB1E732CE67287F6A
7064msiexec.exeC:\Windows\Temp\~DFF775BE605B80B1F0.TMPbinary
MD5:757D484EE8703AF29CEA425142192097
SHA256:46FBE57FF7A1274B2A4EB85C836D2351B838422E12DDC98DB1E732CE67287F6A
7064msiexec.exeC:\Program Files\JJSploit\resources\luascripts\animations\energizegui.luatext
MD5:70B51C18FBF11B73271E552FBB224396
SHA256:7E7579AC512265FC6508B7B4D025EE923BCA7F23937ED10F41BEFDC440C28761
7064msiexec.exeC:\Program Files\JJSploit\JJSploit.exeexecutable
MD5:AC90656AA0E7A6C9740D42DE9EB9067B
SHA256:0CB87057FE24E9139CE49DC5919C03DC67016C0CA740E4FE73751DD8F4881234
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
20
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4300
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4968
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739097269&P2=404&P3=2&P4=G7hXQ0bn86Cyku4ihNcdIwyaPsfaTpnpdwiHq2kcBrCOrgtsV6U3yiS0sMXG5rnwKiHrJ1vQIVtHs12N4fDHjw%3d%3d
unknown
whitelisted
4976
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4300
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4968
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739097269&P2=404&P3=2&P4=G7hXQ0bn86Cyku4ihNcdIwyaPsfaTpnpdwiHq2kcBrCOrgtsV6U3yiS0sMXG5rnwKiHrJ1vQIVtHs12N4fDHjw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
5064
SearchApp.exe
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
244
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4976
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.2
  • 40.126.31.128
  • 20.190.159.73
  • 40.126.31.3
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.129
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2192
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
7000
WindowsDefender.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
4968
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJsploit_installer.exe