Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/04/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_7.3.0_x86_en-US.msi
Resource
win11-20240221-en
General
-
Target
JJSploit_7.3.0_x86_en-US.msi
-
Size
5.8MB
-
MD5
9c232fe2ede51929244afc5c67e53b51
-
SHA1
8e8bb0eda09d25c1f44b8abd66a7e15a414b76f5
-
SHA256
1985fdbec700334fbb2c907f37a102930744e6b3e9198c25f516eae9f6854e9b
-
SHA512
d7ba56ed15a4bb482a69543e6bfe11d0aed4bf6b6b037d51dc2d191e1eaae187d1297bbb7c847d73259c34bb9ee26f26f3689c2592b4ff92968101303be61492
-
SSDEEP
98304:57AC5TdoYMyLSRpyviWkKPm7I2lLYaQ9OoSwYQf9Ib9XuvmhueA34SHeFblFY6nm:/T+USRLWtPm/O9SwYmIb9S5K3F6Wa
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\walkthrough.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\energizegui.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\Uninstall JJSploit.lnk msiexec.exe File created C:\Program Files (x86)\JJSploit\JJSploit.exe msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\jumpland.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\removewalls.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\god.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\criminalesp.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\magnetizeto.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\infinitejump.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\policeesp.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\teleportto.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\aimbot.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\dab.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\levitate.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\beesim\autodig.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\chattroll.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\tptool.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\fly.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\noclip.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua msiexec.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\walkspeed.lua msiexec.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF3106AA00908F1CA6.TMP msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7C15.tmp msiexec.exe File opened for modification C:\Windows\Installer\{31543371-3E1F-49AD-AC6D-E72F218E3508}\ProductIcon msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File created C:\Windows\SystemTemp\~DFF62E1C5E8C709E71.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{31543371-3E1F-49AD-AC6D-E72F218E3508} msiexec.exe File created C:\Windows\Installer\e577b1d.msi msiexec.exe File created C:\Windows\SystemTemp\~DF442A4282115C5D4B.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF623FBDA35ADC81B0.TMP msiexec.exe File created C:\Windows\Installer\e577b1b.msi msiexec.exe File opened for modification C:\Windows\Installer\e577b1b.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{31543371-3E1F-49AD-AC6D-E72F218E3508}\ProductIcon msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 400 JJSploit.exe 2408 JJSploit.exe 1888 JJSploit.exe -
Loads dropped DLL 2 IoCs
pid Process 908 MsiExec.exe 908 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fb1a9eb37f5a4fba0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fb1a9eb30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fb1a9eb3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfb1a9eb3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fb1a9eb300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\ProductName = "JJSploit" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\PackageName = "JJSploit_7.3.0_x86_en-US.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\Environment = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\External msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\PackageCode = "19403D63BCD23974184F1D0CF7151CBF" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\ShortcutsFeature = "MainProgram" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Version = "117637120" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\ProductIcon = "C:\\Windows\\Installer\\{31543371-3E1F-49AD-AC6D-E72F218E3508}\\ProductIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\17334513F1E3DA94CAD67EF212E85380 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\MainProgram msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Language = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2948 msiexec.exe 2948 msiexec.exe 2288 msedge.exe 2288 msedge.exe 1972 msedge.exe 1972 msedge.exe 4992 msedgewebview2.exe 4992 msedgewebview2.exe 424 identity_helper.exe 424 identity_helper.exe 1488 msedgewebview2.exe 1488 msedgewebview2.exe 3208 msedgewebview2.exe 3208 msedgewebview2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1348 msedgewebview2.exe 1972 msedge.exe 1972 msedge.exe 4180 msedgewebview2.exe 4092 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2948 msiexec.exe Token: SeCreateTokenPrivilege 2372 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2372 msiexec.exe Token: SeLockMemoryPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeMachineAccountPrivilege 2372 msiexec.exe Token: SeTcbPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeLoadDriverPrivilege 2372 msiexec.exe Token: SeSystemProfilePrivilege 2372 msiexec.exe Token: SeSystemtimePrivilege 2372 msiexec.exe Token: SeProfSingleProcessPrivilege 2372 msiexec.exe Token: SeIncBasePriorityPrivilege 2372 msiexec.exe Token: SeCreatePagefilePrivilege 2372 msiexec.exe Token: SeCreatePermanentPrivilege 2372 msiexec.exe Token: SeBackupPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeDebugPrivilege 2372 msiexec.exe Token: SeAuditPrivilege 2372 msiexec.exe Token: SeSystemEnvironmentPrivilege 2372 msiexec.exe Token: SeChangeNotifyPrivilege 2372 msiexec.exe Token: SeRemoteShutdownPrivilege 2372 msiexec.exe Token: SeUndockPrivilege 2372 msiexec.exe Token: SeSyncAgentPrivilege 2372 msiexec.exe Token: SeEnableDelegationPrivilege 2372 msiexec.exe Token: SeManageVolumePrivilege 2372 msiexec.exe Token: SeImpersonatePrivilege 2372 msiexec.exe Token: SeCreateGlobalPrivilege 2372 msiexec.exe Token: SeCreateTokenPrivilege 2372 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2372 msiexec.exe Token: SeLockMemoryPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeMachineAccountPrivilege 2372 msiexec.exe Token: SeTcbPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeLoadDriverPrivilege 2372 msiexec.exe Token: SeSystemProfilePrivilege 2372 msiexec.exe Token: SeSystemtimePrivilege 2372 msiexec.exe Token: SeProfSingleProcessPrivilege 2372 msiexec.exe Token: SeIncBasePriorityPrivilege 2372 msiexec.exe Token: SeCreatePagefilePrivilege 2372 msiexec.exe Token: SeCreatePermanentPrivilege 2372 msiexec.exe Token: SeBackupPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeDebugPrivilege 2372 msiexec.exe Token: SeAuditPrivilege 2372 msiexec.exe Token: SeSystemEnvironmentPrivilege 2372 msiexec.exe Token: SeChangeNotifyPrivilege 2372 msiexec.exe Token: SeRemoteShutdownPrivilege 2372 msiexec.exe Token: SeUndockPrivilege 2372 msiexec.exe Token: SeSyncAgentPrivilege 2372 msiexec.exe Token: SeEnableDelegationPrivilege 2372 msiexec.exe Token: SeManageVolumePrivilege 2372 msiexec.exe Token: SeImpersonatePrivilege 2372 msiexec.exe Token: SeCreateGlobalPrivilege 2372 msiexec.exe Token: SeCreateTokenPrivilege 2372 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2372 msiexec.exe Token: SeLockMemoryPrivilege 2372 msiexec.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 2372 msiexec.exe 2372 msiexec.exe 400 JJSploit.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1348 msedgewebview2.exe 1348 msedgewebview2.exe 1972 msedge.exe 2408 JJSploit.exe 4180 msedgewebview2.exe 4180 msedgewebview2.exe 1888 JJSploit.exe 4092 msedgewebview2.exe 4092 msedgewebview2.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 908 2948 msiexec.exe 80 PID 2948 wrote to memory of 908 2948 msiexec.exe 80 PID 2948 wrote to memory of 908 2948 msiexec.exe 80 PID 2948 wrote to memory of 2716 2948 msiexec.exe 84 PID 2948 wrote to memory of 2716 2948 msiexec.exe 84 PID 908 wrote to memory of 400 908 MsiExec.exe 87 PID 908 wrote to memory of 400 908 MsiExec.exe 87 PID 908 wrote to memory of 400 908 MsiExec.exe 87 PID 400 wrote to memory of 4252 400 JJSploit.exe 88 PID 400 wrote to memory of 4252 400 JJSploit.exe 88 PID 400 wrote to memory of 4252 400 JJSploit.exe 88 PID 400 wrote to memory of 1516 400 JJSploit.exe 89 PID 400 wrote to memory of 1516 400 JJSploit.exe 89 PID 400 wrote to memory of 1516 400 JJSploit.exe 89 PID 400 wrote to memory of 1348 400 JJSploit.exe 90 PID 400 wrote to memory of 1348 400 JJSploit.exe 90 PID 1348 wrote to memory of 2548 1348 msedgewebview2.exe 91 PID 1348 wrote to memory of 2548 1348 msedgewebview2.exe 91 PID 1516 wrote to memory of 1972 1516 cmd.exe 92 PID 1516 wrote to memory of 1972 1516 cmd.exe 92 PID 1972 wrote to memory of 940 1972 msedge.exe 93 PID 1972 wrote to memory of 940 1972 msedge.exe 93 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 1048 1972 msedge.exe 94 PID 1972 wrote to memory of 2288 1972 msedge.exe 95 PID 1972 wrote to memory of 2288 1972 msedge.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.3.0_x86_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 92D1EF58C444C93473B45D96B7B56BD2 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Program Files (x86)\JJSploit\JJSploit.exe"C:\Program Files (x86)\JJSploit\JJSploit.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C start https://www.youtube.com/@Omnidev_4⤵PID:4252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_5⤵PID:1224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd86⤵PID:4056
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C start https://www.youtube.com/@WeAreDevsExploits4⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@WeAreDevsExploits5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd86⤵PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:26⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:86⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:16⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:16⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:16⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:16⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:16⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:424
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=400.336.14049797593788063304⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0xa0,0xe8,0x10c,0xa8,0x1b4,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd85⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1804 /prefetch:25⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1844 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2340 /prefetch:85⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:15⤵PID:1288
-
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2716
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2648
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:2492
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:2300
-
C:\Program Files (x86)\JJSploit\JJSploit.exe"C:\Program Files (x86)\JJSploit\JJSploit.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2408 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=2408.4092.78365470332294750122⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4180 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1c0,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd83⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:23⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2076 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2412 /prefetch:83⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:13⤵PID:3076
-
-
-
C:\Program Files (x86)\JJSploit\JJSploit.exe"C:\Program Files (x86)\JJSploit\JJSploit.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1888 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1888.2672.1862760470919121832⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4092 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x118,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd83⤵PID:1440
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:23⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1888 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2364 /prefetch:83⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:13⤵PID:3340
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3148
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD506acb12ab633cae890e3deaf6471efb4
SHA1087290e4cc6cb97e32f79108cc72e99f26530d25
SHA256846f7798551db68cad2f4e405d0320e157a59f122431023c79e9b64591127641
SHA512dbf7eb23e690154b199efe6233ad8ede99d7fcc1aa407c861ec00fbc322cda9a5a1d204c51179681406dfde0442b9070dbb99fcbc4df95522340046dfc165f80
-
Filesize
9.9MB
MD59025b1a81a264417aa8aa18a56075f88
SHA1d3b0c130acd815e9f7430d7f0857b05430420279
SHA2562a19e43202cef88fdabb63be7811cb4214ed455aeac227ea6a86b19d60a9d14d
SHA51263ea2d941ba66a30fbd57aee2758129414563e556479ff8e0911c4db0c8d2827ef58750b665e1b630009a730f542f790f771c89c9e5148747b98a4741c334d7c
-
Filesize
2KB
MD50a2753680de0bb1023a241ac91db7784
SHA118dea9792b454f5b89fe81156e5d99f7fe977e60
SHA256469f596b2d25739e7864caa23bfca24c41457f5851b58b5bedbf9ac8e54afb00
SHA512946c177f0a2fcd3c796023d9d747f1fa43d5f016982d434f7350ccda9e9db3dc355a9cadea4bd6770fb8869bb11dcad45e0bc9253d89dbd28a77aca35a8a1205
-
Filesize
1KB
MD5bd092776cb5a1e3782d5e6291dc39b07
SHA165be61da8d85d31facab01eca516c2b51e2a2c67
SHA256da305e218aeb190621c4a570f93ef810673900cae4e6bb725e9f6a5a0a3c8237
SHA51298e6a3413dd0e6580320d1617392c8a073dea27ad31b172cda4e822fc42d245e716c690c3db0dbc065b5e5c8ebb62d11cb0e926731bd562468979b8ccdf5978b
-
Filesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
Filesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD53b04b1569ad0ab4f34e83e487b81d09c
SHA168691158c91b481affe353355f665be41cd6fba8
SHA2567a5c5e7c46f018df796a70f9b6551dcf133ee1df24616e7269a5c4f0ab8e1b79
SHA51268723344e77f1becbb2ea7623c21bb7a31aa74fbb97651f34dd62d6074a98836b7680f502f3b6c03bf699ed8f9a19e109e53beb302e5fb7fa36542d7262c90dd
-
Filesize
1KB
MD52f7f5ea51940a60488cef7838a370fba
SHA103ac1d789238b32e609cfefca8493174ca2c8bf7
SHA2565f3f094c95c350ff50fc7028937300ab2002470cf5588698453454d8a9d81bc7
SHA512f5edd1285acc5db0c23ad42a70f685fe38e8759b42649b254dd8d256e6ceee9eaad781ebaa1e1c19e30e1ee95eee5460a0ff86ad318c381776861ef53ab2e6dc
-
Filesize
6KB
MD56551ae7a1a765fdb16f07f94dac82e91
SHA13240da92f880ca929926ff0669f8423b9bbaf978
SHA25643f7e5f3d0e7b501500baa0fbc571ef240d1b60cf3de8ff13bd4acdf76c52e14
SHA512a465f43b2c9918b3bf17e166696077fa255eaa4763660f35b77dcb5940843a6542bb3967d6e53fb55a0f4d480d8a2915e81b0ddde713416a8157dd16ce851fc5
-
Filesize
5KB
MD574f8c943afb22d8ec3aabb7336d05fe8
SHA1ed8b29fcb38e23b624943398700ce44236a14ae2
SHA25699b2ac133bbf60a2711c4cb339b9408538d6a536b39c0b404929b327c0b6fe72
SHA512d1dfa4f0ceb363f42613e880e481ebfb81ecd18499907ce484db1a3292cb6fdd60e52f16ee6fea5b6278c8a62dd4c156b143ef59918b15df7dd87c784b7f86cc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58d4cf857cedffc545b10c08e0af01efb
SHA1a5d581e267239cb3ed00fa94a72afe26d55dbb85
SHA25687e4317258355dfa0ee758f7026a47b3388776f277b05a8cee5be2ab16cc6472
SHA51273e38d666d6926d23b99c832afc36ce3a11bd85554743ac5d71d3d872b77fcada66fc2ec790b90d175068638291a1529534e0f007363c7621f502c2f6af9438c
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
152B
MD557f0051b69b7d62e3860463ed655a454
SHA1934b76632c615d6644c54bac7f8929b960b06a5a
SHA2569dca19b39e6e364d29c06981aaf4aaae342c21ba61f2d041f5f55c95ce50f715
SHA512605bcd9ee8a479d663f4ed7322a8e840732b19b2fe8a8dcd11db49e8b1c43f388ae0645bc58c5c6ea15ba7760bda0239cb3d29364e41890bc6b87103b578565f
-
Filesize
152B
MD563542e456890b07ee91d55a564b85a25
SHA1002c53c04bf0b48cd455d4c64f21d395d35dca51
SHA256c9d776d1aa77794cd829f90d454585ea81fe279c7b54a6c1e953e73bd55f4184
SHA5120ba75acd94a6f59e5b669862b319cf5f2ca2eb5299a520a2178e454581a45af7579ea9a61e42dd8579bc21cd8bd87549de90b3a3fce7ed3a2f77a675cb22af44
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD552743388e39e460002f6a794844b255b
SHA1ad8e1eec45faddfb4936e2ce44b8e881991ff385
SHA2569dcf2ed277bd779cccc8cde3a8bac63a248d02eb756ac2ca8e7b2823a9b9e1ec
SHA5124bac47b90e87b7d8d16746c43812b9dd40b93d2a383106556431774af69b688dee2263b9bbdcfebd195a05f86f2dcf4ef06b6186501c9b7ba3a500e024bd38c9
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index
Filesize48B
MD59e9792b33711a338cb55555ce205b819
SHA135422ab9c33478b02f3e3e1b43312861c82b07de
SHA25666a56e484bbac9534392ca7dad735275fe0aa6de7466c2e370d53b36d033755d
SHA51233905e032d23d3568620866ebff7079cdec80773cc680f013d9b9fe2bb48cfc7bc6d8a4405b0dfc1836c8957b486ba34da290b2c8fefd3464c3dc9b2887167f6
-
Filesize
20KB
MD55688ce73407154729a65e71e4123ab21
SHA19a2bb4125d44f996af3ed51a71ee6f8ecd296bd7
SHA256be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60
SHA512eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
256KB
MD59e43a4dc6eba1d42f26f8936323dffa2
SHA1cdd1dd85931573944625f1d13e7cd851bd759749
SHA256a554fcd43268ca16f37231f1081227982a95d8c40cef3cf0cdac060a7cbae371
SHA5123f4660eaae2588309f3f451244208f149c97498f3ad03400bd6fd03402738235ad2c54c76a35e24de6e74097bd7939c32ad50de1ad3b9ee89640beacae864975
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
76KB
MD5cf7ac318453f6b64b6dc186489ff4593
SHA1b405c8e0737be8e16a08556757dc817bd02af025
SHA256634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a
SHA512b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
3KB
MD567b0a7138e30938822f8ab9d12143c94
SHA175b78dff9fa8dff0055a80249d4f75e5156ab72f
SHA256b02b3b89025f481c614bb055cec41e818bca5461b0b77896c8973796510022c2
SHA5125cbc435c893f6047c423ef53c4ad52a7441fac7af37824b9cfdbc8491002394491723c6c0c34e89ddc2c8d3df0f0e98693b757ce92efef0cd24cdd0fc95bd9ff
-
Filesize
3KB
MD530f84c1bd45932f8075fce22941bfc43
SHA1ecd2784e0346ecfe14ec3148cc7027d5652be35e
SHA2562784dee7fb3c34db7236908f2bdc313a7f0d7c82899fefdee6fb691f64e4a1db
SHA5120809399ce0ec9211b8dcba3d2b569f70cea4b30884b3530b2d2d6d4b9b8ff790b73a44ad63dbf7dcb01ff056132f454f7372eabc552d59f8887fb03f5003b25e
-
Filesize
3KB
MD5847a80cd0f5c9b8d8886a9a41e7216aa
SHA1e3d71e5de42783f6d281f83b48d41ec0c6eba606
SHA256818ce34caec27f2388b4094cba5290985b4c081bec23f75e2fdcd9e7cac6b902
SHA51247349b64f0782925865ee12c5795ebcb2c13f4fd2cc44f188cf74e51834da3d20babd7b7db4a6760baa79b2831960a95516b63f4418db700258a97deebd218d6
-
Filesize
8KB
MD5b192be1e80f2ab5d7d1f3cd4393a37f2
SHA1d1af2bab68d77394b324a59871e99a2697289504
SHA256d0cc9f3fff4f8baa2904c0b2c1af93ffaf12058f7c4f99caee1858c8e84eff12
SHA512c0df9ea2e1310407c21c85226ce3f5c016c5f9ebfe79b6fdac91672254475d829c0133b7932f2d459f1688560653e7fc903d216e9f83e75f3f2d22b0c0ca31da
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\000003.log
Filesize40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
307B
MD5edb5aee5c2e05257b4bc39d9211c9cdf
SHA1e34ab3eda96993f93d32e878f11a592c6a310e1e
SHA256aeb9c072cc1d394a035dae3c353270cb667bdcdbe0e8d4482384399d103a2f1f
SHA5129727442b377de3cd096bbe10ef9c757b52ec638c84fa830687912de275482adc2214b1d7e997dfd5c23ebc3b26cb747c72eca25d33b86ee78e4388fff49034af
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
281B
MD54b03997e30fe851fd98440a02bf90b3c
SHA12e17f8a91f6f605ab111ade4b92bd12267205a08
SHA2564494bb52cc0a8376a12f280e6dbaecad5c2ae282879cbf53049c913f32f6c3db
SHA51283006fb0b904943d2141a04c4476bb057425078d711c458fb6ac2838d132a8a15f63c5a3e371fc42c1fda798348169326f20d70008b1ed4c340e1e1639850de9
-
Filesize
20KB
MD5325ddf165383376a8e530a8288a9fb73
SHA1f451204bb6f3de9de42f27bd887576b083026e87
SHA25653eb4fcb3cbcaacd4d94036c9379715990f86185b8ef7fd18cb27665193da6c8
SHA512edb9c49956741560f40df102b81c3b558b1ae9ce902040f89cecb2fbbf60277dcb73f68d8b7c60340a92c46915828b7a204420292d0a4906ac0e9082943ad528
-
Filesize
128KB
MD52c842dae86fb0dfb516f68fb7d49e266
SHA15a168435c23d3b6d0b1848da462d38bb68bf165f
SHA2566d1ef4890b05667c2da1103897bda2f96c6c27a4144f8f6d0718cdd28aad8ede
SHA512b7435f1fd05ff8f24af9e2ce63fea1fcf113f0da9ce971ac91ec84555a5625e3217102b9db4385274ccb73b5a3e3f89b1333385e271294b29fb8da99c70071ea
-
Filesize
110KB
MD512aff5c24b1e165da94cc9ddef6d752a
SHA1345a57b067d6c7561b149b6a7de1d0cf53e42cc9
SHA256b49ee954c97289b707fcaed55266f7c49720d1c24f4a8872038384155081aabf
SHA512fd584f3d7e3a5603ff2699e1b4930d6594b0ea09c0a194b7329f44d3d4d2e1e985a42ab512afc1b6a0f35412ef839d35f27fab1f6506e871d74c648c3adb0ae6
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\e9292f07-091a-4675-a3d5-6a16f3c770eb.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5144dfaaa82df72858197f4ef7ddd34f2
SHA1e6bbbc5593c1d782e2d23c6ba6a5f5468e7548fa
SHA256fe2844d9713e3f49ff6e5c6d5e9f3b7af671fe9165cafe01ebbaf61bb1ae84b9
SHA5125a53b1dfd4729dd2cf7c5fb45b4b15e3b1729c7c7dca1a029b39964a6e0f9435bde61ba5c8e7b859254798fa135264c9814533409e5980159e52cdca2b1a5793
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
2KB
MD59869d159aa2ac93fb9de2c036d76d4db
SHA19de301be84b9478abfb2d6e8a5817e3d7669b3be
SHA2566836a660db038d1a95c288db0719e969b9766032b91105179c098b65fd76a00e
SHA512589e7fe94f50b484d3f913d3ee89566ff2403c1ebc0c601f1f07dff7eab7161dad363074ce5e41e0a31e3485aa58227722afc2592d9c6e0c2994ae8ec15e3aa7
-
Filesize
2KB
MD5e316caf3ec14e2a9a9f1f17f1e40b416
SHA1a43c65ae8e4496b70ed1e16930f85269b2953602
SHA256b12e032ce1aac9247de8011698b74e65e1ca5a721a3ed51b80fcc77d3a6d17f5
SHA512d87d9cc80548a6f0c2a25b06f12b153ddc421d18ad1250bcb26e60b17429f76e2e633e39d2d49f722441e16981ad2492beee9769afc489d39dc93e10d0ae75d4
-
Filesize
256KB
MD548bd650cecd62103e877fa6bf29e5f18
SHA1ed8c7509a3a1caf07dc4ebd7809ef37c3dfe4f0b
SHA256a4b43c1d8153ece8025cf4756b16d2fc2b7bffb851c0a75b23d8d648f77ab765
SHA512e0cfdbff95e7dc8ec411a488727f40d7db71df8aafa4a7a7624f680b3a6997d5f6e60f10ab7400d86a11e859d922dba7310161a611411959b75a8253159ec375
-
Filesize
2KB
MD5471590a8ca9ec8a01aa4ea7fb3ed76b3
SHA163237a892e9830a1f69e5e102d3453ebe19b8a05
SHA25666ec1b08f4355b7836a72e9d29c3bf06fcd0ade2130dded8aa8bcf7c4becf00e
SHA5125aab03c3a82b6e2c85d8119c4941802f8e1c78b7036ed1f5d4d3b50e7b6a4d16dc64ff85ec94d14919561baac9d1692eac7ec7f7d40dbfee299d7cc90ecf0b2e
-
Filesize
54B
MD52670b82e1ed700d6034682c72617e748
SHA11f52a65b2d7245aaf73736068ef18cb5c6922bb1
SHA2569389fd84d2ebe08bc0bd4df0ff66b35d2e85b987a0b3bc7563a1ec40a0754cd4
SHA5129f5247de589414ce31a3e00d6db16698af722ecd7a24c564d8a8cc374bf1771cabb8be39876634f1284658de24d42237767dc7b3a82c4a312bc86421fa3673ec
-
Filesize
5.8MB
MD59c232fe2ede51929244afc5c67e53b51
SHA18e8bb0eda09d25c1f44b8abd66a7e15a414b76f5
SHA2561985fdbec700334fbb2c907f37a102930744e6b3e9198c25f516eae9f6854e9b
SHA512d7ba56ed15a4bb482a69543e6bfe11d0aed4bf6b6b037d51dc2d191e1eaae187d1297bbb7c847d73259c34bb9ee26f26f3689c2592b4ff92968101303be61492
-
Filesize
12.8MB
MD5db16729c7417b31d87d0c7b5f8ae06c3
SHA13a77feba60e8e27d10d5bf25439626ac4ed4c40d
SHA256f0b116768460b1e148ac2db812fc5df3a9e02dba3618212e9ea05e7fc8a4e5e7
SHA51244f48c809860877dd377cf05c3036826e7752acee3a0da9a9660046b170b31dff59cb0ffd7dc3b7841caf5609d5b99446d44e8e8e01323ed5598d35d1c44ad5e
-
\??\Volume{b39e1afb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6de80413-02bb-4193-840c-1353073b6f7d}_OnDiskSnapshotProp
Filesize6KB
MD578e8a936d102696e4b32a223f4618e1c
SHA1fbe7cfae025b23cbaa8cfc25346c9b46781777ad
SHA256f84161f5086c702acbb0a738b75751ef7bbab6be867e6f222cb515a7447b58d1
SHA512e7cba3c22827740105bb2089002b56fb8f2dff16c0fb73978c096158b646edadfa4da1221364b78ecf7f4715fa523a2f5dd5caa202f9516ed3adaa080f6054bd