File name:

JJsploit_installer.exe

Full analysis: https://app.any.run/tasks/7714763f-ef05-48f4-8451-533765950594
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 02, 2025, 10:33:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

4605C18DCB612FAB6516EF661CE100E4

SHA1:

EA49BB0B0716C649F3DD07593BE49F7E055FBBA3

SHA256:

C75E74F2DAF6FB603616BD89BE4D6564A8BEFED2C328549844C10061E73E8DBF

SSDEEP:

98304:JfLIQ/YQ/sNMLIq5IPg/8PiWDftwFB7TR0khNcU/9EvvRpTMdYlfMDxn1d/evnP+:DR28dW7n+p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WindowsDefender.exe (PID: 7000)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Create files in the Startup directory

      • WindowsDefender.exe (PID: 7000)

    • XWORM has been detected (SURICATA)

      • WindowsDefender.exe (PID: 7000)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6744)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • JJsploit_installer.exe (PID: 6344)

    • Executable content was dropped or overwritten

      • JJsploit_installer.exe (PID: 6344)
      • JJsploit.exe (PID: 6920)
      • powershell.exe (PID: 6744)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Reads the date of Windows installation

      • JJsploit.exe (PID: 6920)

    • Reads security settings of Internet Explorer

      • JJsploit.exe (PID: 6920)
      • JJsploit_installer.exe (PID: 6344)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Connects to unusual port

      • WindowsDefender.exe (PID: 7000)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3612)

    • Contacting a server suspected of hosting an CnC

      • WindowsDefender.exe (PID: 7000)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 7064)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7064)

    • Manipulates environment variables

      • powershell.exe (PID: 6744)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 7064)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6744)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6744)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6744)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6884)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6904)
      • MicrosoftEdgeUpdate.exe (PID: 6384)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6984)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Starts process via Powershell

      • powershell.exe (PID: 6744)

  • INFO

    • Checks supported languages

      • JJsploit_installer.exe (PID: 6344)
      • WindowsDefender.exe (PID: 7000)
      • msiexec.exe (PID: 7064)
      • JJsploit.exe (PID: 6920)
      • msiexec.exe (PID: 7120)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)
      • MicrosoftEdgeUpdate.exe (PID: 6384)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6904)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6984)
      • MicrosoftEdgeUpdate.exe (PID: 520)
      • MicrosoftEdgeUpdate.exe (PID: 1344)
      • MicrosoftEdgeUpdate.exe (PID: 2624)

    • Create files in a temporary directory

      • JJsploit_installer.exe (PID: 6344)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Process checks computer location settings

      • JJsploit_installer.exe (PID: 6344)
      • JJsploit.exe (PID: 6920)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Reads the machine GUID from the registry

      • JJsploit.exe (PID: 6920)
      • WindowsDefender.exe (PID: 7000)

    • Reads the computer name

      • JJsploit.exe (PID: 6920)
      • WindowsDefender.exe (PID: 7000)
      • msiexec.exe (PID: 7064)
      • msiexec.exe (PID: 7120)
      • MicrosoftEdgeUpdate.exe (PID: 6884)
      • MicrosoftEdgeUpdate.exe (PID: 6384)
      • JJsploit_installer.exe (PID: 6344)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6984)
      • MicrosoftEdgeUpdate.exe (PID: 520)
      • MicrosoftEdgeUpdate.exe (PID: 2624)
      • MicrosoftEdgeUpdate.exe (PID: 1344)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6904)

    • Creates files or folders in the user directory

      • JJsploit.exe (PID: 6920)
      • WindowsDefender.exe (PID: 7000)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6992)
      • msiexec.exe (PID: 7064)

    • Manages system restore points

      • SrTasks.exe (PID: 5532)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7064)

    • Disables trace logs

      • powershell.exe (PID: 6744)

    • Checks proxy server information

      • powershell.exe (PID: 6744)
      • MicrosoftEdgeUpdate.exe (PID: 520)
      • MicrosoftEdgeUpdate.exe (PID: 1344)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)

    • The sample compiled with english language support

      • powershell.exe (PID: 6744)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1536)
      • MicrosoftEdgeUpdate.exe (PID: 6884)

    • Reads Microsoft Office registry keys

      • JJsploit.exe (PID: 6920)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 520)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 520)
      • MicrosoftEdgeUpdate.exe (PID: 1344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:03 07:51:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 214528
InitializedDataSize: 350720
UninitializedDataSize: -
EntryPoint: 0x21d50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
21
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start jjsploit_installer.exe jjsploit.exe msiexec.exe #XWORM windowsdefender.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs svchost.exe srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
520"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Rjg1RDNFNEEtMDgxOS00N0I4LUJGNTEtQzQyOTczRTFGOUQ5fSIgdXNlcmlkPSJ7QTQyOTZEQTMtRjkyOC00OUJBLTkzMEUtQjNCRjEyOUZEOUY3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNUQ2Rjk5OS04Q0Y5LTRBMzctQjk2Qi0yODU2OEE1MEUxNDh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMyMjAwNjkxMTIiIGluc3RhbGxfdGltZV9tcz0iNTM4Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1344"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1536"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2624"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{F85D3E4A-0819-47B8-BF51-C42973E1F9D9}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3612C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5532C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6344"C:\Users\admin\AppData\Local\Temp\JJsploit_installer.exe" C:\Users\admin\AppData\Local\Temp\JJsploit_installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\jjsploit_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
13 433
Read events
12 844
Write events
546
Delete events
43

Modification events

(PID) Process:(6920) JJsploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:writeName:Msi.Package
Value:
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000FE190AF75D75DB01981B00008C130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000FE190AF75D75DB01981B00008C130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7000) WindowsDefender.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsDefender
Value:
C:\Users\admin\AppData\Roaming\WindowsDefender.exe
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000ED8A5DF75D75DB01981B00008C130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000DC275BF75D75DB01981B00008C130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000DC275BF75D75DB01981B00008C130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000001FB564F75D75DB01981B00008C130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000A8ECDBF75D75DB01981B00008C130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000656FDEF75D75DB01981B000004190000E8030000010000000000000000000000F0DD9CD8C2FE3845B4A5376D812D5B3800000000000000000000000000000000
Executable files
206
Suspicious files
22
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
6920JJsploit.exeC:\Users\admin\AppData\Roaming\JJSploit_8.11.2_x64_en-US.msi
MD5:
SHA256:
7064msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7064msiexec.exeC:\Windows\Installer\13fb7a.msi
MD5:
SHA256:
7064msiexec.exeC:\Windows\Temp\~DFF775BE605B80B1F0.TMPbinary
MD5:757D484EE8703AF29CEA425142192097
SHA256:46FBE57FF7A1274B2A4EB85C836D2351B838422E12DDC98DB1E732CE67287F6A
7064msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{d89cddf0-fec2-4538-b4a5-376d812d5b38}_OnDiskSnapshotPropbinary
MD5:24FEAB74951AD81F58053B75A6DE3602
SHA256:23D10486282F7D3C5F81BD90D0CA206ABD7D9C9C567B80C070AA2E4B6471660B
7064msiexec.exeC:\Program Files\JJSploit\resources\luascripts\animations\energizegui.luatext
MD5:70B51C18FBF11B73271E552FBB224396
SHA256:7E7579AC512265FC6508B7B4D025EE923BCA7F23937ED10F41BEFDC440C28761
7064msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\fly.luabinary
MD5:54A3C002B2B1E311B6488B5796094457
SHA256:4F4098A0CCAD434E7CF4684DF559858BDDD5D17768F4C8BF89B0BED072575A47
7064msiexec.exeC:\Program Files\JJSploit\resources\luascripts\general\infinitejump.luabinary
MD5:F13B9AD3F7D7EB0827D189699D50490C
SHA256:E81510EB4EE69A72D9087DEFD412453C0C63D2772CAC3749757B842FB126E435
7064msiexec.exeC:\Windows\Installer\MSI4A2.tmpbinary
MD5:262F473E50250068D90EF637B5880E19
SHA256:584D17EE7603C264F7E141A00DA6EABDAAF22C6455923145DD6885C5EB93E596
7064msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:757D484EE8703AF29CEA425142192097
SHA256:46FBE57FF7A1274B2A4EB85C836D2351B838422E12DDC98DB1E732CE67287F6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
20
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4300
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4300
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4968
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739097269&P2=404&P3=2&P4=G7hXQ0bn86Cyku4ihNcdIwyaPsfaTpnpdwiHq2kcBrCOrgtsV6U3yiS0sMXG5rnwKiHrJ1vQIVtHs12N4fDHjw%3d%3d
unknown
whitelisted
4976
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4968
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739097269&P2=404&P3=2&P4=G7hXQ0bn86Cyku4ihNcdIwyaPsfaTpnpdwiHq2kcBrCOrgtsV6U3yiS0sMXG5rnwKiHrJ1vQIVtHs12N4fDHjw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
5064
SearchApp.exe
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
244
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4976
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.2
  • 40.126.31.128
  • 20.190.159.73
  • 40.126.31.3
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.129
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2192
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
7000
WindowsDefender.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
4968
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJsploit_installer.exe