1985fdbec700334fbb2c907f37a102930744e6b3e9198c25f516eae9f6854e9b

Analysis

max time kernel
92s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JJSploit_7.3.0_x86_en-US.msi
Size

5.8MB
MD5

9c232fe2ede51929244afc5c67e53b51
SHA1

8e8bb0eda09d25c1f44b8abd66a7e15a414b76f5
SHA256

1985fdbec700334fbb2c907f37a102930744e6b3e9198c25f516eae9f6854e9b
SHA512

d7ba56ed15a4bb482a69543e6bfe11d0aed4bf6b6b037d51dc2d191e1eaae187d1297bbb7c847d73259c34bb9ee26f26f3689c2592b4ff92968101303be61492
SSDEEP

98304:57AC5TdoYMyLSRpyviWkKPm7I2lLYaQ9OoSwYQf9Ib9XuvmhueA34SHeFblFY6nm:/T+USRLWtPm/O9SwYmIb9S5K3F6Wa

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\animations\walkthrough.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\animations\energizegui.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\Uninstall JJSploit.lnk	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\JJSploit.exe	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\god.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\criminalesp.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\magnetizeto.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\infinitejump.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\policeesp.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\teleportto.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\aimbot.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\animations\levitate.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\beesim\autodig.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\chattroll.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\noclip.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua	msiexec.exe
File created	C:\Program Files (x86)\JJSploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3106AA00908F1CA6.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{31543371-3E1F-49AD-AC6D-E72F218E3508}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\~DFF62E1C5E8C709E71.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{31543371-3E1F-49AD-AC6D-E72F218E3508}	msiexec.exe
File created	C:\Windows\Installer\e577b1d.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF442A4282115C5D4B.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF623FBDA35ADC81B0.TMP	msiexec.exe
File created	C:\Windows\Installer\e577b1b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577b1b.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{31543371-3E1F-49AD-AC6D-E72F218E3508}\ProductIcon	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
400	JJSploit.exe
2408	JJSploit.exe
1888	JJSploit.exe

Loads dropped DLL 2 IoCs

pid	Process
908	MsiExec.exe
908	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fb1a9eb37f5a4fba0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fb1a9eb30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fb1a9eb3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfb1a9eb3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fb1a9eb300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\ProductName = "JJSploit"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\PackageName = "JJSploit_7.3.0_x86_en-US.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\PackageCode = "19403D63BCD23974184F1D0CF7151CBF"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Version = "117637120"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\ProductIcon = "C:\\Windows\\Installer\\{31543371-3E1F-49AD-AC6D-E72F218E3508}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\17334513F1E3DA94CAD67EF212E85380	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17334513F1E3DA94CAD67EF212E85380\MainProgram	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17334513F1E3DA94CAD67EF212E85380\Language = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2948	msiexec.exe
2948	msiexec.exe
2288	msedge.exe
2288	msedge.exe
1972	msedge.exe
1972	msedge.exe
4992	msedgewebview2.exe
4992	msedgewebview2.exe
424	identity_helper.exe
424	identity_helper.exe
1488	msedgewebview2.exe
1488	msedgewebview2.exe
3208	msedgewebview2.exe
3208	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1348	msedgewebview2.exe
1972	msedge.exe
1972	msedge.exe
4180	msedgewebview2.exe
4092	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2948	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2372	msiexec.exe
2372	msiexec.exe
400	JJSploit.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1348	msedgewebview2.exe
1348	msedgewebview2.exe
1972	msedge.exe
2408	JJSploit.exe
4180	msedgewebview2.exe
4180	msedgewebview2.exe
1888	JJSploit.exe
4092	msedgewebview2.exe
4092	msedgewebview2.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 908	2948	msiexec.exe	80
PID 2948 wrote to memory of 908	2948	msiexec.exe	80
PID 2948 wrote to memory of 908	2948	msiexec.exe	80
PID 2948 wrote to memory of 2716	2948	msiexec.exe	84
PID 2948 wrote to memory of 2716	2948	msiexec.exe	84
PID 908 wrote to memory of 400	908	MsiExec.exe	87
PID 908 wrote to memory of 400	908	MsiExec.exe	87
PID 908 wrote to memory of 400	908	MsiExec.exe	87
PID 400 wrote to memory of 4252	400	JJSploit.exe	88
PID 400 wrote to memory of 4252	400	JJSploit.exe	88
PID 400 wrote to memory of 4252	400	JJSploit.exe	88
PID 400 wrote to memory of 1516	400	JJSploit.exe	89
PID 400 wrote to memory of 1516	400	JJSploit.exe	89
PID 400 wrote to memory of 1516	400	JJSploit.exe	89
PID 400 wrote to memory of 1348	400	JJSploit.exe	90
PID 400 wrote to memory of 1348	400	JJSploit.exe	90
PID 1348 wrote to memory of 2548	1348	msedgewebview2.exe	91
PID 1348 wrote to memory of 2548	1348	msedgewebview2.exe	91
PID 1516 wrote to memory of 1972	1516	cmd.exe	92
PID 1516 wrote to memory of 1972	1516	cmd.exe	92
PID 1972 wrote to memory of 940	1972	msedge.exe	93
PID 1972 wrote to memory of 940	1972	msedge.exe	93
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 1048	1972	msedge.exe	94
PID 1972 wrote to memory of 2288	1972	msedge.exe	95
PID 1972 wrote to memory of 2288	1972	msedge.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.3.0_x86_en-US.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 92D1EF58C444C93473B45D96B7B56BD2 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files (x86)\JJSploit\JJSploit.exe
    "C:\Program Files (x86)\JJSploit\JJSploit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C start https://www.youtube.com/@Omnidev_
      4⤵
      PID:4252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_
        5⤵
        
        PID:1224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd8
        6⤵
        
        PID:4056
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /C start https://www.youtube.com/@WeAreDevsExploits
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@WeAreDevsExploits
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd8
        6⤵
        
        PID:940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
        6⤵
        
        PID:1048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
        6⤵
        
        PID:4816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:4176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        
        PID:3108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
        6⤵
        
        PID:3896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        6⤵
        
        PID:4012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        6⤵
        
        PID:2332
      - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,14640233687231757050,13887981003494941612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:424
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=400.336.1404979759378806330
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0xa0,0xe8,0x10c,0xa8,0x1b4,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd8
        5⤵
        
        PID:2548
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1804 /prefetch:2
        5⤵
        
        PID:1684
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1844 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2340 /prefetch:8
        5⤵
        
        PID:3696
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1792,4512404601500682515,17567117524842360131,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
        5⤵
        
        PID:1288
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2648

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2492

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2300

C:\Program Files (x86)\JJSploit\JJSploit.exe
"C:\Program Files (x86)\JJSploit\JJSploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2408
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=2408.4092.7836547033229475012
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4180
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1c0,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd8
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
    3⤵
    PID:2640
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2076 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2412 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1732,571582114137273842,8646279838998941852,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
    3⤵
    PID:3076

C:\Program Files (x86)\JJSploit\JJSploit.exe
"C:\Program Files (x86)\JJSploit\JJSploit.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1888
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1888.2672.186276047091912183
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4092
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x118,0x7ffedc983cb8,0x7ffedc983cc8,0x7ffedc983cd8
    3⤵
    PID:1440
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
    3⤵
    PID:2848
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1888 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3208
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2364 /prefetch:8
    3⤵
    PID:1588
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1820,15285747324839006874,258755938837946127,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=7.3.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
    3⤵
    PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577b1c.rbs

Filesize
22KB

MD5
06acb12ab633cae890e3deaf6471efb4

SHA1
087290e4cc6cb97e32f79108cc72e99f26530d25

SHA256
846f7798551db68cad2f4e405d0320e157a59f122431023c79e9b64591127641

SHA512
dbf7eb23e690154b199efe6233ad8ede99d7fcc1aa407c861ec00fbc322cda9a5a1d204c51179681406dfde0442b9070dbb99fcbc4df95522340046dfc165f80

Download Submit
C:\Program Files (x86)\JJSploit\JJSploit.exe

Filesize
9.9MB

MD5
9025b1a81a264417aa8aa18a56075f88

SHA1
d3b0c130acd815e9f7430d7f0857b05430420279

SHA256
2a19e43202cef88fdabb63be7811cb4214ed455aeac227ea6a86b19d60a9d14d

SHA512
63ea2d941ba66a30fbd57aee2758129414563e556479ff8e0911c4db0c8d2827ef58750b665e1b630009a730f542f790f771c89c9e5148747b98a4741c334d7c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk

Filesize
2KB

MD5
0a2753680de0bb1023a241ac91db7784

SHA1
18dea9792b454f5b89fe81156e5d99f7fe977e60

SHA256
469f596b2d25739e7864caa23bfca24c41457f5851b58b5bedbf9ac8e54afb00

SHA512
946c177f0a2fcd3c796023d9d747f1fa43d5f016982d434f7350ccda9e9db3dc355a9cadea4bd6770fb8869bb11dcad45e0bc9253d89dbd28a77aca35a8a1205

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk~RFe577dac.TMP

Filesize
1KB

MD5
bd092776cb5a1e3782d5e6291dc39b07

SHA1
65be61da8d85d31facab01eca516c2b51e2a2c67

SHA256
da305e218aeb190621c4a570f93ef810673900cae4e6bb725e9f6a5a0a3c8237

SHA512
98e6a3413dd0e6580320d1617392c8a073dea27ad31b172cda4e822fc42d245e716c690c3db0dbc065b5e5c8ebb62d11cb0e926731bd562468979b8ccdf5978b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3b04b1569ad0ab4f34e83e487b81d09c

SHA1
68691158c91b481affe353355f665be41cd6fba8

SHA256
7a5c5e7c46f018df796a70f9b6551dcf133ee1df24616e7269a5c4f0ab8e1b79

SHA512
68723344e77f1becbb2ea7623c21bb7a31aa74fbb97651f34dd62d6074a98836b7680f502f3b6c03bf699ed8f9a19e109e53beb302e5fb7fa36542d7262c90dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2f7f5ea51940a60488cef7838a370fba

SHA1
03ac1d789238b32e609cfefca8493174ca2c8bf7

SHA256
5f3f094c95c350ff50fc7028937300ab2002470cf5588698453454d8a9d81bc7

SHA512
f5edd1285acc5db0c23ad42a70f685fe38e8759b42649b254dd8d256e6ceee9eaad781ebaa1e1c19e30e1ee95eee5460a0ff86ad318c381776861ef53ab2e6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6551ae7a1a765fdb16f07f94dac82e91

SHA1
3240da92f880ca929926ff0669f8423b9bbaf978

SHA256
43f7e5f3d0e7b501500baa0fbc571ef240d1b60cf3de8ff13bd4acdf76c52e14

SHA512
a465f43b2c9918b3bf17e166696077fa255eaa4763660f35b77dcb5940843a6542bb3967d6e53fb55a0f4d480d8a2915e81b0ddde713416a8157dd16ce851fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74f8c943afb22d8ec3aabb7336d05fe8

SHA1
ed8b29fcb38e23b624943398700ce44236a14ae2

SHA256
99b2ac133bbf60a2711c4cb339b9408538d6a536b39c0b404929b327c0b6fe72

SHA512
d1dfa4f0ceb363f42613e880e481ebfb81ecd18499907ce484db1a3292cb6fdd60e52f16ee6fea5b6278c8a62dd4c156b143ef59918b15df7dd87c784b7f86cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d4cf857cedffc545b10c08e0af01efb

SHA1
a5d581e267239cb3ed00fa94a72afe26d55dbb85

SHA256
87e4317258355dfa0ee758f7026a47b3388776f277b05a8cee5be2ab16cc6472

SHA512
73e38d666d6926d23b99c832afc36ce3a11bd85554743ac5d71d3d872b77fcada66fc2ec790b90d175068638291a1529534e0f007363c7621f502c2f6af9438c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5E2D.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9461.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
57f0051b69b7d62e3860463ed655a454

SHA1
934b76632c615d6644c54bac7f8929b960b06a5a

SHA256
9dca19b39e6e364d29c06981aaf4aaae342c21ba61f2d041f5f55c95ce50f715

SHA512
605bcd9ee8a479d663f4ed7322a8e840732b19b2fe8a8dcd11db49e8b1c43f388ae0645bc58c5c6ea15ba7760bda0239cb3d29364e41890bc6b87103b578565f

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
63542e456890b07ee91d55a564b85a25

SHA1
002c53c04bf0b48cd455d4c64f21d395d35dca51

SHA256
c9d776d1aa77794cd829f90d454585ea81fe279c7b54a6c1e953e73bd55f4184

SHA512
0ba75acd94a6f59e5b669862b319cf5f2ca2eb5299a520a2178e454581a45af7579ea9a61e42dd8579bc21cd8bd87549de90b3a3fce7ed3a2f77a675cb22af44

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
52743388e39e460002f6a794844b255b

SHA1
ad8e1eec45faddfb4936e2ce44b8e881991ff385

SHA256
9dcf2ed277bd779cccc8cde3a8bac63a248d02eb756ac2ca8e7b2823a9b9e1ec

SHA512
4bac47b90e87b7d8d16746c43812b9dd40b93d2a383106556431774af69b688dee2263b9bbdcfebd195a05f86f2dcf4ef06b6186501c9b7ba3a500e024bd38c9

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
9e9792b33711a338cb55555ce205b819

SHA1
35422ab9c33478b02f3e3e1b43312861c82b07de

SHA256
66a56e484bbac9534392ca7dad735275fe0aa6de7466c2e370d53b36d033755d

SHA512
33905e032d23d3568620866ebff7079cdec80773cc680f013d9b9fe2bb48cfc7bc6d8a4405b0dfc1836c8957b486ba34da290b2c8fefd3464c3dc9b2887167f6

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Favicons

Filesize
20KB

MD5
5688ce73407154729a65e71e4123ab21

SHA1
9a2bb4125d44f996af3ed51a71ee6f8ecd296bd7

SHA256
be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60

SHA512
eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\index

Filesize
256KB

MD5
9e43a4dc6eba1d42f26f8936323dffa2

SHA1
cdd1dd85931573944625f1d13e7cd851bd759749

SHA256
a554fcd43268ca16f37231f1081227982a95d8c40cef3cf0cdac060a7cbae371

SHA512
3f4660eaae2588309f3f451244208f149c97498f3ad03400bd6fd03402738235ad2c54c76a35e24de6e74097bd7939c32ad50de1ad3b9ee89640beacae864975

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\History

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Login Data

Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Media History

Filesize
76KB

MD5
cf7ac318453f6b64b6dc186489ff4593

SHA1
b405c8e0737be8e16a08556757dc817bd02af025

SHA256
634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a

SHA512
b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
3KB

MD5
67b0a7138e30938822f8ab9d12143c94

SHA1
75b78dff9fa8dff0055a80249d4f75e5156ab72f

SHA256
b02b3b89025f481c614bb055cec41e818bca5461b0b77896c8973796510022c2

SHA512
5cbc435c893f6047c423ef53c4ad52a7441fac7af37824b9cfdbc8491002394491723c6c0c34e89ddc2c8d3df0f0e98693b757ce92efef0cd24cdd0fc95bd9ff

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
3KB

MD5
30f84c1bd45932f8075fce22941bfc43

SHA1
ecd2784e0346ecfe14ec3148cc7027d5652be35e

SHA256
2784dee7fb3c34db7236908f2bdc313a7f0d7c82899fefdee6fb691f64e4a1db

SHA512
0809399ce0ec9211b8dcba3d2b569f70cea4b30884b3530b2d2d6d4b9b8ff790b73a44ad63dbf7dcb01ff056132f454f7372eabc552d59f8887fb03f5003b25e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
3KB

MD5
847a80cd0f5c9b8d8886a9a41e7216aa

SHA1
e3d71e5de42783f6d281f83b48d41ec0c6eba606

SHA256
818ce34caec27f2388b4094cba5290985b4c081bec23f75e2fdcd9e7cac6b902

SHA512
47349b64f0782925865ee12c5795ebcb2c13f4fd2cc44f188cf74e51834da3d20babd7b7db4a6760baa79b2831960a95516b63f4418db700258a97deebd218d6

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Secure Preferences

Filesize
8KB

MD5
b192be1e80f2ab5d7d1f3cd4393a37f2

SHA1
d1af2bab68d77394b324a59871e99a2697289504

SHA256
d0cc9f3fff4f8baa2904c0b2c1af93ffaf12058f7c4f99caee1858c8e84eff12

SHA512
c0df9ea2e1310407c21c85226ce3f5c016c5f9ebfe79b6fdac91672254475d829c0133b7932f2d459f1688560653e7fc903d216e9f83e75f3f2d22b0c0ca31da

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\LOG

Filesize
307B

MD5
edb5aee5c2e05257b4bc39d9211c9cdf

SHA1
e34ab3eda96993f93d32e878f11a592c6a310e1e

SHA256
aeb9c072cc1d394a035dae3c353270cb667bdcdbe0e8d4482384399d103a2f1f

SHA512
9727442b377de3cd096bbe10ef9c757b52ec638c84fa830687912de275482adc2214b1d7e997dfd5c23ebc3b26cb747c72eca25d33b86ee78e4388fff49034af

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Sync Data\LevelDB\LOG

Filesize
281B

MD5
4b03997e30fe851fd98440a02bf90b3c

SHA1
2e17f8a91f6f605ab111ade4b92bd12267205a08

SHA256
4494bb52cc0a8376a12f280e6dbaecad5c2ae282879cbf53049c913f32f6c3db

SHA512
83006fb0b904943d2141a04c4476bb057425078d711c458fb6ac2838d132a8a15f63c5a3e371fc42c1fda798348169326f20d70008b1ed4c340e1e1639850de9

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Top Sites

Filesize
20KB

MD5
325ddf165383376a8e530a8288a9fb73

SHA1
f451204bb6f3de9de42f27bd887576b083026e87

SHA256
53eb4fcb3cbcaacd4d94036c9379715990f86185b8ef7fd18cb27665193da6c8

SHA512
edb9c49956741560f40df102b81c3b558b1ae9ce902040f89cecb2fbbf60277dcb73f68d8b7c60340a92c46915828b7a204420292d0a4906ac0e9082943ad528

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Visited Links

Filesize
128KB

MD5
2c842dae86fb0dfb516f68fb7d49e266

SHA1
5a168435c23d3b6d0b1848da462d38bb68bf165f

SHA256
6d1ef4890b05667c2da1103897bda2f96c6c27a4144f8f6d0718cdd28aad8ede

SHA512
b7435f1fd05ff8f24af9e2ce63fea1fcf113f0da9ce971ac91ec84555a5625e3217102b9db4385274ccb73b5a3e3f89b1333385e271294b29fb8da99c70071ea

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Web Data

Filesize
110KB

MD5
12aff5c24b1e165da94cc9ddef6d752a

SHA1
345a57b067d6c7561b149b6a7de1d0cf53e42cc9

SHA256
b49ee954c97289b707fcaed55266f7c49720d1c24f4a8872038384155081aabf

SHA512
fd584f3d7e3a5603ff2699e1b4930d6594b0ea09c0a194b7329f44d3d4d2e1e985a42ab512afc1b6a0f35412ef839d35f27fab1f6506e871d74c648c3adb0ae6

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\e9292f07-091a-4675-a3d5-6a16f3c770eb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\load_statistics.db

Filesize
44KB

MD5
144dfaaa82df72858197f4ef7ddd34f2

SHA1
e6bbbc5593c1d782e2d23c6ba6a5f5468e7548fa

SHA256
fe2844d9713e3f49ff6e5c6d5e9f3b7af671fe9165cafe01ebbaf61bb1ae84b9

SHA512
5a53b1dfd4729dd2cf7c5fb45b4b15e3b1729c7c7dca1a029b39964a6e0f9435bde61ba5c8e7b859254798fa135264c9814533409e5980159e52cdca2b1a5793

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
2KB

MD5
9869d159aa2ac93fb9de2c036d76d4db

SHA1
9de301be84b9478abfb2d6e8a5817e3d7669b3be

SHA256
6836a660db038d1a95c288db0719e969b9766032b91105179c098b65fd76a00e

SHA512
589e7fe94f50b484d3f913d3ee89566ff2403c1ebc0c601f1f07dff7eab7161dad363074ce5e41e0a31e3485aa58227722afc2592d9c6e0c2994ae8ec15e3aa7

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
2KB

MD5
e316caf3ec14e2a9a9f1f17f1e40b416

SHA1
a43c65ae8e4496b70ed1e16930f85269b2953602

SHA256
b12e032ce1aac9247de8011698b74e65e1ca5a721a3ed51b80fcc77d3a6d17f5

SHA512
d87d9cc80548a6f0c2a25b06f12b153ddc421d18ad1250bcb26e60b17429f76e2e633e39d2d49f722441e16981ad2492beee9769afc489d39dc93e10d0ae75d4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\ShaderCache\GPUCache\index

Filesize
256KB

MD5
48bd650cecd62103e877fa6bf29e5f18

SHA1
ed8c7509a3a1caf07dc4ebd7809ef37c3dfe4f0b

SHA256
a4b43c1d8153ece8025cf4756b16d2fc2b7bffb851c0a75b23d8d648f77ab765

SHA512
e0cfdbff95e7dc8ec411a488727f40d7db71df8aafa4a7a7624f680b3a6997d5f6e60f10ab7400d86a11e859d922dba7310161a611411959b75a8253159ec375

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\ea94dd3a-8666-4327-ad06-5651843f7acf.tmp

Filesize
2KB

MD5
471590a8ca9ec8a01aa4ea7fb3ed76b3

SHA1
63237a892e9830a1f69e5e102d3453ebe19b8a05

SHA256
66ec1b08f4355b7836a72e9d29c3bf06fcd0ade2130dded8aa8bcf7c4becf00e

SHA512
5aab03c3a82b6e2c85d8119c4941802f8e1c78b7036ed1f5d4d3b50e7b6a4d16dc64ff85ec94d14919561baac9d1692eac7ec7f7d40dbfee299d7cc90ecf0b2e

Download Submit
C:\Users\Admin\Documents\jjsploit\db.json

Filesize
54B

MD5
2670b82e1ed700d6034682c72617e748

SHA1
1f52a65b2d7245aaf73736068ef18cb5c6922bb1

SHA256
9389fd84d2ebe08bc0bd4df0ff66b35d2e85b987a0b3bc7563a1ec40a0754cd4

SHA512
9f5247de589414ce31a3e00d6db16698af722ecd7a24c564d8a8cc374bf1771cabb8be39876634f1284658de24d42237767dc7b3a82c4a312bc86421fa3673ec

Download Submit
C:\Windows\Installer\e577b1b.msi

Filesize
5.8MB

MD5
9c232fe2ede51929244afc5c67e53b51

SHA1
8e8bb0eda09d25c1f44b8abd66a7e15a414b76f5

SHA256
1985fdbec700334fbb2c907f37a102930744e6b3e9198c25f516eae9f6854e9b

SHA512
d7ba56ed15a4bb482a69543e6bfe11d0aed4bf6b6b037d51dc2d191e1eaae187d1297bbb7c847d73259c34bb9ee26f26f3689c2592b4ff92968101303be61492

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
db16729c7417b31d87d0c7b5f8ae06c3

SHA1
3a77feba60e8e27d10d5bf25439626ac4ed4c40d

SHA256
f0b116768460b1e148ac2db812fc5df3a9e02dba3618212e9ea05e7fc8a4e5e7

SHA512
44f48c809860877dd377cf05c3036826e7752acee3a0da9a9660046b170b31dff59cb0ffd7dc3b7841caf5609d5b99446d44e8e8e01323ed5598d35d1c44ad5e

Download Submit
\??\Volume{b39e1afb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6de80413-02bb-4193-840c-1353073b6f7d}_OnDiskSnapshotProp

Filesize
6KB

MD5
78e8a936d102696e4b32a223f4618e1c

SHA1
fbe7cfae025b23cbaa8cfc25346c9b46781777ad

SHA256
f84161f5086c702acbb0a738b75751ef7bbab6be867e6f222cb515a7447b58d1

SHA512
e7cba3c22827740105bb2089002b56fb8f2dff16c0fb73978c096158b646edadfa4da1221364b78ecf7f4715fa523a2f5dd5caa202f9516ed3adaa080f6054bd

Download Submit
memory/1588-592-0x000002CE37ED0000-0x000002CE37FA6000-memory.dmp

Filesize
856KB

Download
memory/1684-118-0x00007FFEFCB50000-0x00007FFEFCB51000-memory.dmp

Filesize
4KB

Download
memory/1684-261-0x000001F280010000-0x000001F2800E6000-memory.dmp

Filesize
856KB

Download
memory/2640-578-0x00000267B3AE0000-0x00000267B3BB6000-memory.dmp

Filesize
856KB

Download
memory/2848-589-0x0000020633F20000-0x0000020633FF6000-memory.dmp

Filesize
856KB

Download
memory/3076-577-0x0000022300010000-0x00000223000E6000-memory.dmp

Filesize
856KB

Download
memory/3696-260-0x0000025480010000-0x00000254800E6000-memory.dmp

Filesize
856KB

Download
memory/4548-518-0x00000266D0FA0000-0x00000266D1076000-memory.dmp

Filesize
856KB

Download