umbral | ccbcc6269218d292a06db3d9896dc621598a76794881ffbeb6f093d8b54e1c43

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2025 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JJSploit.exe
Size

6.6MB
MD5

f29fd0bb7218e3cf63ab6040be0a1698
SHA1

c078e4888d6e1cf6c75a4141d51a1d375c2f71c8
SHA256

ccbcc6269218d292a06db3d9896dc621598a76794881ffbeb6f093d8b54e1c43
SHA512

b68185e83baca3f8779e085fed57a0324fee7528139c4afa245900f206707b645f631cb08d8a2cc3ea6b75a65d0e5ac76c250897e28df2c6e7c4724f7790f40d
SSDEEP

196608:1dNnRdvjsTOvHK19gO8xbecifaCI1L5N1JTLX46:z1RSavI9sbf8vKf5

Score

10^/10

umbral xworm defense_evasion discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

study-conclusions.gl.at.ply.gg:20142

Attributes

Install_directory
%Temp%
install_file
System32.exe

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023bd5-4.dat	family_umbral
behavioral2/memory/456-20-0x0000019094D40000-0x0000019094D80000-memory.dmp	family_umbral
behavioral2/memory/1224-31-0x0000000000400000-0x0000000000AAC000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023c32-23.dat	family_xworm
behavioral2/memory/3260-25-0x0000000000080000-0x0000000000098000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	JJSploit.exe

Executes dropped EXE 3 IoCs

pid	Process
456	JJSploitInjector.exe
3260	JJSplo.exe
1196	jjsploit.exe

Loads dropped DLL 1 IoCs

pid	Process
2620	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jjsploit.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\LICENSE	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\policeesp.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_797537058\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\jjsploit\jjsploit.exe	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Filtering Rules-AA	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Filtering Rules-CA	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-ES	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-NL	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\noclip.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\infinitejump.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Filtering Rules	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-RU	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-ZH	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\beesim\autodig.lua	msiexec.exe
File created	C:\Program Files\jjsploit\Uninstall jjsploit.lnk	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_797537058\crl-set	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-FR	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\walkthrough.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\energizegui.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\magnetizeto.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\multidimensionalcharacter.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\aimbot.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-IT	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\god.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\chattroll.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\jailbreak\criminalesp.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1560031141\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1560031141\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\adblock_snippet.js	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\Part-DE	msedgewebview2.exe
File created	C:\Program Files\jjsploit\resources\luascripts\general\teleportto.lua	msiexec.exe
File created	C:\Program Files\jjsploit\resources\luascripts\animations\levitate.lua	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_797537058\manifest.json	msedgewebview2.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5831c9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}	msiexec.exe
File opened for modification	C:\Windows\Installer\{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e5831cb.msi	msiexec.exe
File created	C:\Windows\Installer\e5831c9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32D3.tmp	msiexec.exe
File created	C:\Windows\Installer\{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}\ProductIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000090f11e24ea83ce490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000090f11e240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090090f11e24000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d90f11e24000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000090f11e2400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133847511458526050"	msedgewebview2.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\Environment = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Version = "135004162"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2294C8C9A96F9A557BCA814D87DFAFEC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\PackageName = "jjsploit_8.12.2_x64_en-US (1).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\PackageCode = "0C7F8E08B1B421D4A886CBB7E79DC45D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12DCA8A64F060554D8D6BD3BFF8A7C4C\MainProgram	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\ProductName = "jjsploit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	JJSploit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\ProductIcon = "C:\\Windows\\Installer\\{6A8ACD21-60F4-4550-8D6D-DBB3FFA8C7C4}\\ProductIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2294C8C9A96F9A557BCA814D87DFAFEC\12DCA8A64F060554D8D6BD3BFF8A7C4C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12DCA8A64F060554D8D6BD3BFF8A7C4C\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	msiexec.exe
1908	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
1968	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	JJSplo.exe
Token: SeDebugPrivilege	456	JJSploitInjector.exe
Token: SeIncreaseQuotaPrivilege	540	wmic.exe
Token: SeSecurityPrivilege	540	wmic.exe
Token: SeTakeOwnershipPrivilege	540	wmic.exe
Token: SeLoadDriverPrivilege	540	wmic.exe
Token: SeSystemProfilePrivilege	540	wmic.exe
Token: SeSystemtimePrivilege	540	wmic.exe
Token: SeProfSingleProcessPrivilege	540	wmic.exe
Token: SeIncBasePriorityPrivilege	540	wmic.exe
Token: SeCreatePagefilePrivilege	540	wmic.exe
Token: SeBackupPrivilege	540	wmic.exe
Token: SeRestorePrivilege	540	wmic.exe
Token: SeShutdownPrivilege	540	wmic.exe
Token: SeDebugPrivilege	540	wmic.exe
Token: SeSystemEnvironmentPrivilege	540	wmic.exe
Token: SeRemoteShutdownPrivilege	540	wmic.exe
Token: SeUndockPrivilege	540	wmic.exe
Token: SeManageVolumePrivilege	540	wmic.exe
Token: 33	540	wmic.exe
Token: 34	540	wmic.exe
Token: 35	540	wmic.exe
Token: 36	540	wmic.exe
Token: SeShutdownPrivilege	5108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	540	wmic.exe
Token: SeSecurityPrivilege	540	wmic.exe
Token: SeTakeOwnershipPrivilege	540	wmic.exe
Token: SeLoadDriverPrivilege	540	wmic.exe
Token: SeSystemProfilePrivilege	540	wmic.exe
Token: SeSystemtimePrivilege	540	wmic.exe
Token: SeProfSingleProcessPrivilege	540	wmic.exe
Token: SeIncBasePriorityPrivilege	540	wmic.exe
Token: SeCreatePagefilePrivilege	540	wmic.exe
Token: SeBackupPrivilege	540	wmic.exe
Token: SeRestorePrivilege	540	wmic.exe
Token: SeShutdownPrivilege	540	wmic.exe
Token: SeDebugPrivilege	540	wmic.exe
Token: SeSystemEnvironmentPrivilege	540	wmic.exe
Token: SeRemoteShutdownPrivilege	540	wmic.exe
Token: SeUndockPrivilege	540	wmic.exe
Token: SeManageVolumePrivilege	540	wmic.exe
Token: 33	540	wmic.exe
Token: 34	540	wmic.exe
Token: 35	540	wmic.exe
Token: 36	540	wmic.exe
Token: SeSecurityPrivilege	1908	msiexec.exe
Token: SeCreateTokenPrivilege	5108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5108	msiexec.exe
Token: SeLockMemoryPrivilege	5108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5108	msiexec.exe
Token: SeMachineAccountPrivilege	5108	msiexec.exe
Token: SeTcbPrivilege	5108	msiexec.exe
Token: SeSecurityPrivilege	5108	msiexec.exe
Token: SeTakeOwnershipPrivilege	5108	msiexec.exe
Token: SeLoadDriverPrivilege	5108	msiexec.exe
Token: SeSystemProfilePrivilege	5108	msiexec.exe
Token: SeSystemtimePrivilege	5108	msiexec.exe
Token: SeProfSingleProcessPrivilege	5108	msiexec.exe
Token: SeIncBasePriorityPrivilege	5108	msiexec.exe
Token: SeCreatePagefilePrivilege	5108	msiexec.exe
Token: SeCreatePermanentPrivilege	5108	msiexec.exe
Token: SeBackupPrivilege	5108	msiexec.exe
Token: SeRestorePrivilege	5108	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5108	msiexec.exe
5108	msiexec.exe
1196	jjsploit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 456	1224	JJSploit.exe	87
PID 1224 wrote to memory of 456	1224	JJSploit.exe	87
PID 1224 wrote to memory of 3260	1224	JJSploit.exe	88
PID 1224 wrote to memory of 3260	1224	JJSploit.exe	88
PID 1224 wrote to memory of 5108	1224	JJSploit.exe	89
PID 1224 wrote to memory of 5108	1224	JJSploit.exe	89
PID 1224 wrote to memory of 5108	1224	JJSploit.exe	89
PID 456 wrote to memory of 540	456	JJSploitInjector.exe	90
PID 456 wrote to memory of 540	456	JJSploitInjector.exe	90
PID 1908 wrote to memory of 2620	1908	msiexec.exe	98
PID 1908 wrote to memory of 2620	1908	msiexec.exe	98
PID 1908 wrote to memory of 2620	1908	msiexec.exe	98
PID 1908 wrote to memory of 3872	1908	msiexec.exe	103
PID 1908 wrote to memory of 3872	1908	msiexec.exe	103
PID 5108 wrote to memory of 1196	5108	msiexec.exe	106
PID 5108 wrote to memory of 1196	5108	msiexec.exe	106
PID 1196 wrote to memory of 1968	1196	jjsploit.exe	107
PID 1196 wrote to memory of 1968	1196	jjsploit.exe	107
PID 1968 wrote to memory of 4028	1968	msedgewebview2.exe	108
PID 1968 wrote to memory of 4028	1968	msedgewebview2.exe	108
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109
PID 1968 wrote to memory of 3352	1968	msedgewebview2.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
"C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- C:\Users\Admin\AppData\Local\Temp\JJSplo.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSplo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US (1).msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Program Files\jjsploit\jjsploit.exe
    "C:\Program Files\jjsploit\jjsploit.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=1196.2332.2236598252264548809
      4⤵
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffc3cafb078,0x7ffc3cafb084,0x7ffc3cafb090
        5⤵
        
        PID:4028
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1728,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1724 /prefetch:2
        5⤵
        
        PID:3352
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2044,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3
        5⤵
        
        PID:660
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2364,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2372 /prefetch:8
        5⤵
        
        PID:3152
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3644,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2204,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:8
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4784,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4648 /prefetch:8
        5⤵
        
        PID:4392
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=jjsploit.exe --webview-exe-version=8.12.2 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=756,i,13350709024725133703,6584611654756607348,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
        5⤵
        
        PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 87D0FA143ADEBC68C4F00A240A0EFB74 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5831ca.rbs

Filesize
21KB

MD5
e60d548c6f19070fc7b42976848e1ad8

SHA1
8b6e0d4a516d75b12e74dcf66d9de85b6a8a8c59

SHA256
9e380a51e129b4ac9b2183f6abb52fdee2cd054b3c1a26c2b72535aef66c1086

SHA512
deff82995e28e9a9f6754b464db96c809abdf68be1b755a3084a1b1c363638f32b37a9755aacef45ad805cc522c9c95e35c9846b08559eee05894f0afca5d1b1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1164989886\manifest.json

Filesize
116B

MD5
2188c7ec4e86e29013803d6b85b0d5bb

SHA1
5a9b4a91c63e0013f661dfc472edb01385d0e3ce

SHA256
ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

SHA512
37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1560031141\manifest.fingerprint

Filesize
66B

MD5
3fb5233616491df0ec229ba9f42efdb8

SHA1
18a8116e2df9805accd7901d2321c3fa92da1af4

SHA256
946f3a9e019b0d80f5671de782f295132341f663f74aebad7628f22e528d6d52

SHA512
e9b17ac626bf6508db9a686825411e90d316a0f1dacbf63dbec5baaaf6b96af4dbc9a7332975b6d5c16c43757d79fddca6b888ea97bc07a8dffb1b3a06366b4d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1560031141\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1968_797537058\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Program Files\jjsploit\jjsploit.exe

Filesize
17.1MB

MD5
b393f1b89a320d6a0b42190c6dcb6860

SHA1
209e800233976ec908a87db948b5aa175d99b1e8

SHA256
ca45895af0e91692514e6f4b8b494e68392821fa18503526243091d7d49e3064

SHA512
21be0b7a232e7182455206b13beada6e9614335a0b3ada9875a68620efc14f43723778910dfb6070a47ee8f177d02add1d5a2e60d616fec914a88b9ecb01f0eb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\jjsploit\jjsploit.lnk

Filesize
1KB

MD5
a0a85ad6fc53a4072eaeebab64757b5a

SHA1
485b10729cb11542ab9b4a9411f561cb64f397da

SHA256
6bdae5543ab334f9dd2328bfb2c7b80b29ab5bdb35f93ab07763233075f6648c

SHA512
0ba85d4a1e300456ca1ae1d3c7c30ae6aa51a61c744e7da648f9198881db84ae44d1ca5329e610b2adf01f983f8966fc76232fbc3ec69296ece77cf41b46024f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\jjsploit\jjsploit.lnk~RFe58343a.TMP

Filesize
1KB

MD5
ebe9569c5ceacee074047fa5ebe0428f

SHA1
b4cc8d5c954ead175a1ce3e4115871208dc3c822

SHA256
5bd7cd9d905be84b6dd7d50740b4742ed8a76b4347b7b614809465171e96588c

SHA512
eb72d2cc3ce0b961c29e98e4d519376c4aaed5665991b50ba61ee28bb1a68db30d835eaa45c59dc1340ebd26c07473be0b803e3e4da922d34d081d54b23aa61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJSplo.exe

Filesize
68KB

MD5
c5ba230193b7f217c0e512a5cb8606e8

SHA1
f04b380d5622285d72531e0ed936e5bfe90fb4af

SHA256
8fd9fdf831724e2c0227f399e2a8be95304daa91b7fd07db4b245dba1380f9c3

SHA512
0c5bd99bdefde5c0a7a809199f0bed1a0590f05ffe12bb554424cf4982b606677c33fafe5e46fc0feb9d5f6163cfbae2fa771a91f9973a6cceae2176b5a3e0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJSploitInjector.exe

Filesize
229KB

MD5
760861bfe626a80dcf4d2b13f8d8c76a

SHA1
8ce9854d053ce7df079942f6f76550479ccd6325

SHA256
ab957ab7e09f994d24ace2b7d1b807e757249465d12e21d5f1916afb1518e27a

SHA512
513d447fd8a84b799dbdcd8ea3382375aa8190fb340b51f5b78114bddc721b96fdfbd036ed04520a81664f18ff4a414c908c79bddcf665860486663fbb8d3be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE5CC.tmp

Filesize
132KB

MD5
cfbb8568bd3711a97e6124c56fcfa8d9

SHA1
d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

SHA256
7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

SHA512
860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US (1).msi

Filesize
6.3MB

MD5
d8be6f14b4dd7a85a5b5479e88b940da

SHA1
4c1ed04a00fb4fc31cc4c10172d0e6f310faacef

SHA256
c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05

SHA512
77964855eddaf57ebf7810185eacf2bd40bfdd883473ac063223ea496744d81db678c171707d44cfe19077df1fcfb8888a54021fc6af7cb4547dcc464ce717ea

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
7aa21b9e47b37ebdd072cb1c7f955e2f

SHA1
8231e2dda361c3273d1ea72a64064ce8cb89ea9a

SHA256
ce99a1b5f413307eef947af9041311adcff66fc2d62226b94bc10288f2a32c2b

SHA512
c2f7132b0c80867d2685061b70c368def80e8f6785fe53354ca7f1a3c29ff8426efbd1959416df39a9e79404071763667efb5660f754af07c82670cdf247f0cf

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
19b65bd798ad1a4299d5ca03f9e06997

SHA1
e724c09e5eb4a7aec8d4bbed5ccb70b1018ddf71

SHA256
97021fc5838fc331481ed5d4c0df0b667737e50c13c58b96aacc949260613e84

SHA512
10e7e46b124bd20a8aa17e05576b0cda575775c557e8bf2efb27d5d2a973560f7740ee6c119799ace63a076e5e3135ea5d962c8f05785fde4dc0f88e11ed642b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5e75bb81ae035a8400ee32543833aa84

SHA1
16d15a7b722af8883a1c1fbf6adf8b2a9c29ac99

SHA256
727f6c3331fb5be5cb814064627ecc6e9d45501249a7c0bd80879be19aa9992c

SHA512
615882a55e90cface19680edfa624dea3b3aade9da084566b6d7264f24fcce607d0736322a96aeabbae1089f3867d130fc8d3c03f0f35fceb083e6b859485b1c

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
a20817b35b4a15c9f9fbe078f5292714

SHA1
032f10979a6673f741ee8122f47c9bfd6b53f7c0

SHA256
3b673a5a93be9e9cd66a466ba880a5e0f64527f54533c15e5ccd23384571df21

SHA512
a06f6d32f85336ce9d543e81939ecbfb07ae83070f0fdf172bd1fb6e91f91ba8b136281481913443b65ea035147307c332c0877e152758ba005618f5e727c1be

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\Network Persistent State

Filesize
1KB

MD5
6cfef59c7420edcf03feb07e1dcff167

SHA1
f2d4688c1d1b4022b310449fa4d93d4150c38230

SHA256
92656624c53be1e9dd50fd45d14da0dbd3a5f76a8b4713987a8f6de64a4d74f4

SHA512
9ff6fe18c9218b3c36cc22a910aa7cad0827f4f3e2bd23e78e2e2eb76923c7f21005ae04dab6821dfa76433a2bd8fa0f4724508f6cc9ff5101466487f84985ce

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\Network Persistent State~RFe59618f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
6KB

MD5
cccfe7fc35e0d9f18a33334eca8ec26f

SHA1
1b2233c9264a131db9ecdf1a446a5409322e79f0

SHA256
f6dede154021768d3aa9bf81edc2dd01d3bde9a993f585b4f28d2cdbc56e6141

SHA512
4644656bc483104b77193ec81bc60331927ba32bb3b5e28dc24df80e06441470766c06fd8f7be6ad986a6f142fccd4ac14f650351e4b9540cead3df6fecf27ef

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences~RFe58ea3c.TMP

Filesize
6KB

MD5
b118fcf6dca2b4a9654cf21533b90923

SHA1
82d07d9953f58715cab4933477029ee3f3a8ec22

SHA256
88d92a46cccd2e5a86240f5e578449be4ad253e60d5cf2fe6bef50cefe141028

SHA512
44cab14be57f9d5b7769c460452977eca27bd2bf3aeb0e4522157bd14d54260b1d30afbb4205bf2a9401430ea83dbd0dd5f130f18361df6d193466d40d0264eb

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
1KB

MD5
c064bd64899930410f2a0e738d2268e2

SHA1
d513966c56379a1d166d172e3480f0e9e4d0ea7c

SHA256
f024e89370b150e9a9edf9dbabf671472bcf8c80a2dc28cf7ffc52d307713366

SHA512
c2abe3cb96704ebedbc153b3f25007af80d11de7f09e15cf7a14436c19dcba036520b57b9a5ac740498db4b9b17218b0b762b6ea9a5867236df4cb601cf69ba8

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
2KB

MD5
d53e5080fa512482e9d112fde11fcd61

SHA1
2d7dece6670f5117b16ca30725f8d8b01f72204e

SHA256
602ffddb418dac0e7e9abddae500aa837738136adc008327a786aca5dc1da034

SHA512
2f73e3635f452ba7a96096daac68cb3caaaea2c79fcd89716084c624c1959c1619a51827a21dc34e8410dee13dbb16066022b6e4f733ee3ff0e1efd8a1c0a175

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
3KB

MD5
572462d52f2e1da6cc2efc1062086d26

SHA1
4458ed903d75ca024edd94f4cded04623ae882ce

SHA256
478863ad95b80f013b125216e072e2445679232a2cf6704ab3cb2620ed442bf7

SHA512
b84f3d1014434f27d24f0d4a02cc1e4f38099a0340bea932d714b03904e44275ae6b75c42dde2c214e88b014d8b8cc541e15b90ed4e1714fb3833a9a30031a65

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
16KB

MD5
2e8b91d384ac259e9c6dfbd7743ceb69

SHA1
8dcf5af171e04f4536cc4316ea35de782f2a2624

SHA256
477659f35f1a8dc161fc40566295f74514009f95b8dd0487c01a5d12f035e034

SHA512
9a42b352243acd55713b34a37f55af3d9056a102220a53f23ac95fa42f9d54f534c2a6f59c8df400ae74991138c7d0c6b3a8c9effcb6fe58c219abe6678a87a0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State~RFe584b8b.TMP

Filesize
1KB

MD5
d57d765eb2acd27778e599d0e21edc43

SHA1
9c8c267b61e91e229ace2377741f98b029581211

SHA256
e98dd1bf6fb9b1e0d6b88d4a58c5406db898595f269329259d96ddc58123e451

SHA512
f4872b518d94a8da56db0daa13871056e7ead1732b0c928f32700826eafa68938148cf95ad2fa0fe242bb938a565266bc24cb9861907d26a6bef8abc1207b5cd

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
5e1c1120168f775f16a6732d9201ff8f

SHA1
eeafdc1d1b919913671e944426223525df5f8493

SHA256
dec565707f9a9e3f932c87215ee6edafd77feaec06dccb417744bf53e4c95dd0

SHA512
2c0d5d18602ae0209a8f72a181389060656143977fb9558b5e31534b12ebe42d967be25b898931ea072aa715489fd310d9828ae9d324bf809ee1f05edfbb0f25

Download Submit
\??\Volume{241ef190-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{710fedd2-f60a-4c4c-8205-e87814f37a49}_OnDiskSnapshotProp

Filesize
6KB

MD5
0b161158a7070a63b82fb53feaa5cb27

SHA1
82bc615c37ab6edc2b1ec3fd7acf040468cc46a5

SHA256
a9bfb5aea49332678730ded5a009c8c4ad3f71dde42894e0e1e4ec65be81156f

SHA512
e73ef661cc8e3efcc279b2e26b87315f23d42361e93a8517e504febd6501bf058eb35c1e194c7a379b2d078036fa84ce03c46cc02ff6f755624872b1281a62b4

Download Submit
memory/456-20-0x0000019094D40000-0x0000019094D80000-memory.dmp

Filesize
256KB

Download
memory/456-35-0x00007FFC3DBE0000-0x00007FFC3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/456-32-0x00007FFC3DBE0000-0x00007FFC3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/456-14-0x00007FFC3DBE3000-0x00007FFC3DBE5000-memory.dmp

Filesize
8KB

Download
memory/1224-31-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/2856-229-0x00007FFC5A610000-0x00007FFC5A611000-memory.dmp

Filesize
4KB

Download
memory/3152-157-0x00007FFC5B350000-0x00007FFC5B351000-memory.dmp

Filesize
4KB

Download
memory/3152-158-0x00007FFC5A650000-0x00007FFC5A651000-memory.dmp

Filesize
4KB

Download
memory/3260-26-0x00007FFC3DBE0000-0x00007FFC3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-25-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/3260-36-0x00007FFC3DBE0000-0x00007FFC3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-37-0x00007FFC3DBE0000-0x00007FFC3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3352-135-0x00007FFC5A610000-0x00007FFC5A611000-memory.dmp

Filesize
4KB

Download