File name:

JJSploit_8.10.15_x64_en-US.msi

Full analysis: https://app.any.run/tasks/d248a989-b935-465f-aee6-c2b77c629728
Verdict: Malicious activity
Analysis date: December 28, 2024, 20:35:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: JJSploit, Author: wearedevs, Keywords: Installer, Comments: This installer database contains the logic and data required to install JJSploit., Template: x64;0, Revision Number: {11619C15-6D7D-4951-9CF9-1136DA97AE6F}, Create Time/Date: Fri Dec 27 18:03:52 2024, Last Saved Time/Date: Fri Dec 27 18:03:52 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

CC9626B9EB05FCC4F0A12616E2C23504

SHA1:

70EF30A35C8CD3CF2DBAFF4DCDF47C33FEDBEC85

SHA256:

F468617180D78E999EAED9139FEF635874F0CB791D1CEB6642A364D7D366A32F

SSDEEP:

98304:miOoqqI3cH66jZM4G9JCN+QVJAfWtkXUgAS88yuCrY5zbpEQq0Ka4PR92naE8lIb:AdRLwElkGr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1580)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6840)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6968)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1580)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)
      • MicrosoftEdgeUpdate.exe (PID: 6840)

    • Manipulates environment variables

      • powershell.exe (PID: 1580)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1580)

    • Starts process via Powershell

      • powershell.exe (PID: 1580)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6484)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6484)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6484)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1580)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6840)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)
      • MicrosoftEdgeUpdate.exe (PID: 6840)

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)
      • MicrosoftEdgeUpdate.exe (PID: 6840)
      • powershell.exe (PID: 1580)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2996)
      • MicrosoftEdgeUpdate.exe (PID: 6792)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6236)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6840)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6300)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 6572)
      • msiexec.exe (PID: 6484)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)
      • MicrosoftEdgeUpdate.exe (PID: 6840)
      • MicrosoftEdgeUpdate.exe (PID: 6792)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2996)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6236)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 6092)
      • MicrosoftEdgeUpdate.exe (PID: 188)

    • An automatically generated document

      • msiexec.exe (PID: 6332)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6332)
      • msiexec.exe (PID: 6484)

    • Manages system restore points

      • SrTasks.exe (PID: 6496)

    • Reads the computer name

      • msiexec.exe (PID: 6572)
      • msiexec.exe (PID: 6484)
      • MicrosoftEdgeUpdate.exe (PID: 6840)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2996)
      • MicrosoftEdgeUpdate.exe (PID: 6792)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6236)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 188)
      • MicrosoftEdgeUpdate.exe (PID: 6092)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6484)

    • Disables trace logs

      • powershell.exe (PID: 1580)

    • Checks proxy server information

      • powershell.exe (PID: 1580)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 188)

    • The process uses the downloaded file

      • powershell.exe (PID: 1580)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)

    • The sample compiled with english language support

      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)
      • MicrosoftEdgeUpdate.exe (PID: 6840)
      • powershell.exe (PID: 1580)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5964)
      • MicrosoftEdgeUpdate.exe (PID: 6840)
      • svchost.exe (PID: 6300)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 6840)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6840)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: JJSploit
Author: wearedevs
Keywords: Installer
Comments: This installer database contains the logic and data required to install JJSploit.
Template: x64;0
RevisionNumber: {11619C15-6D7D-4951-9CF9-1136DA97AE6F}
CreateDate: 2024:12:27 18:03:52
ModifyDate: 2024:12:27 18:03:52
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
18
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1580powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2996"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5964"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6092"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{3F375CB8-B7AF-46C4-95F1-742D23E68D1D}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
6236"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6300C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6332"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\JJSploit_8.10.15_x64_en-US.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
12 578
Read events
11 417
Write events
1 118
Delete events
43

Modification events

(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000001455C0136859DB0154190000281B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000B156FE136859DB0154190000281B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000B1B600146859DB0154190000281B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000001455C0136859DB0154190000281B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000AFEFFB136859DB0154190000281B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000AFEFFB136859DB0154190000281B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000DA5A6E146859DB0154190000281B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6968) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6968) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6968) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
Executable files
204
Suspicious files
19
Text files
20
Unknown types
2

Dropped files

PID
Process
Filename
Type
6484msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6484msiexec.exeC:\Windows\Installer\13abe3.msi
MD5:
SHA256:
6484msiexec.exeC:\Windows\Temp\~DF9812F2495E23A262.TMPbinary
MD5:0220E43B05781BF918A084CB0585C26B
SHA256:E02794CB69CA6A4FD4DEBE2EE4D40D985EFA0B2576CCF74C0A14411CBFF757E1
6484msiexec.exeC:\Program Files\JJSploit\JJSploit.exeexecutable
MD5:F9765D4273A57FBB90CAB8B829E571B2
SHA256:8D0BA9F46379E110B137DDDC8A6F9F97A07288435521BABFB22FB8FE170F2E23
6484msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{930a5c4d-1fed-4188-8a95-7e3d4a0adfa5}_OnDiskSnapshotPropbinary
MD5:7B8E43EA12F5B70906A21D6DE6475D6C
SHA256:DE4BADC96285E08A5AAE909CF6F276F97B99220AEB7A72D3613F23E34329B4A6
6484msiexec.exeC:\Windows\Installer\MSIB104.tmpbinary
MD5:265EF25AFA836B9BBD8043C9E1EED785
SHA256:E57AEDC3A38F3B84866716098B8D2D6138407BE4FE68A16A30965CAB44815ECE
6484msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:0220E43B05781BF918A084CB0585C26B
SHA256:E02794CB69CA6A4FD4DEBE2EE4D40D985EFA0B2576CCF74C0A14411CBFF757E1
6484msiexec.exeC:\Windows\Temp\~DFB8CE4DF1C331103D.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6484msiexec.exeC:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.luabinary
MD5:76D6BC545A92D108FF8A18614A5DB4AD
SHA256:A7931EE89662C563637E1752228923D182F42F3A70286D4FD0A1FFF993C9766D
6484msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:7B8E43EA12F5B70906A21D6DE6475D6C
SHA256:DE4BADC96285E08A5AAE909CF6F276F97B99220AEB7A72D3613F23E34329B4A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
41
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6188
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3420
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3420
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6300
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1736022976&P2=404&P3=2&P4=S8ZW%2fKqKhZfH794yDOI0uQiBdvTafqaVQOaAUXvtXsURhOYzHDviOv4h4qr20mdMrC6LxgSI8pAzrrLcBxnOwA%3d%3d
unknown
whitelisted
6300
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1736022976&P2=404&P3=2&P4=S8ZW%2fKqKhZfH794yDOI0uQiBdvTafqaVQOaAUXvtXsURhOYzHDviOv4h4qr20mdMrC6LxgSI8pAzrrLcBxnOwA%3d%3d
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.177:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.162
  • 23.48.23.145
  • 23.48.23.194
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.167
  • 23.48.23.183
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 104.126.37.177
  • 104.126.37.178
  • 104.126.37.153
  • 104.126.37.123
  • 104.126.37.160
  • 104.126.37.171
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.154
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.73
  • 20.190.159.68
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted

Threats

PID
Process
Class
Message
6300
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JJSploit_8.10.15_x64_en-US.msi