File name:

DLL Injector_2.1.0_x86_en-US.msi

Full analysis: https://app.any.run/tasks/4f82c7cc-163a-4bbc-af07-d785c86bc827
Verdict: Malicious activity
Analysis date: December 28, 2024, 21:05:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: DLL Injector, Author: dllinjector, Keywords: Installer, Comments: This installer database contains the logic and data required to install DLL Injector., Template: Intel;0, Revision Number: {E548A4FB-865F-44C0-B2B9-28DA9B180D1F}, Create Time/Date: Tue Mar 14 20:31:28 2023, Last Saved Time/Date: Tue Mar 14 20:31:28 2023, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

0592CA25CF22E8D5DAABACD1130D38F6

SHA1:

0A59FD8723DE4CB9BF6C3272A5DB7771E575EFF9

SHA256:

3B8991F1EEBFC46988DB25FE0DED11C3C08DF81AE2CA1BAF9103BA8259CAFC99

SSDEEP:

49152:TXt8FXtmZR9m+/YXz573yI2FvlfC+fM//uuEUNLTVx+pv/Z1BWCMnT5ldQqnUIwJ:T98FXinYXz5ryI2FvvM/mu/NLT41BWdG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4528)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 7016)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4528)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)
      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Starts process via Powershell

      • powershell.exe (PID: 4528)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7096)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 4528)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6424)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 4528)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)
      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)
      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2076)
      • MicrosoftEdgeUpdate.exe (PID: 5732)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6232)

    • Manipulates environment variables

      • powershell.exe (PID: 4528)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6424)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4528)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6308)
      • msiexec.exe (PID: 6424)

    • Reads the computer name

      • msiexec.exe (PID: 6424)
      • msiexec.exe (PID: 7044)
      • MicrosoftEdgeUpdate.exe (PID: 7016)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2076)
      • MicrosoftEdgeUpdate.exe (PID: 5732)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5972)
      • MicrosoftEdgeUpdate.exe (PID: 736)
      • MicrosoftEdgeUpdate.exe (PID: 5780)
      • MicrosoftEdgeUpdate.exe (PID: 2396)

    • An automatically generated document

      • msiexec.exe (PID: 6308)

    • Checks supported languages

      • msiexec.exe (PID: 7044)
      • msiexec.exe (PID: 6424)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)
      • MicrosoftEdgeUpdate.exe (PID: 7016)
      • MicrosoftEdgeUpdate.exe (PID: 5732)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5972)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2076)
      • MicrosoftEdgeUpdate.exe (PID: 2396)
      • MicrosoftEdgeUpdate.exe (PID: 5780)
      • MicrosoftEdgeUpdate.exe (PID: 736)

    • Manages system restore points

      • SrTasks.exe (PID: 3364)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6424)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)

    • The sample compiled with english language support

      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)
      • powershell.exe (PID: 4528)
      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 6876)
      • svchost.exe (PID: 6232)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 2396)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 7016)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 2396)
      • MicrosoftEdgeUpdate.exe (PID: 736)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 736)
      • MicrosoftEdgeUpdate.exe (PID: 2396)
      • powershell.exe (PID: 4528)

    • Disables trace logs

      • powershell.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: DLL Injector
Author: dllinjector
Keywords: Installer
Comments: This installer database contains the logic and data required to install DLL Injector.
Template: Intel;0
RevisionNumber: {E548A4FB-865F-44C0-B2B9-28DA9B180D1F}
CreateDate: 2023:03:14 20:31:28
ModifyDate: 2023:03:14 20:31:28
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
18
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2076"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2396"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7RTQ5NzVCRTktMTRGQy00NUVGLUJDMjctRUU5QUZCNzY0QTdFfSIgdXNlcmlkPSJ7OTE0Mzg2NDgtNUYyMy00NUYxLUJFNzAtMjIwQjk5NjdDODYwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBQTg0NUEyMi1FQkNELTQ0MjAtOUYxMC0wNkI5MDNDNDU5NkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI5NjY1NDcyMDkiIGluc3RhbGxfdGltZV9tcz0iNTYzIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3364C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4528powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5732"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
5780"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{E4975BE9-14FC-45EF-BC27-EE9AFB764A7E}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
5972"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.43\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
12 648
Read events
11 446
Write events
1 159
Delete events
43

Modification events

(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000002719BD456C59DB0118190000A81B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000002719BD456C59DB0118190000A81B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000AC81FD456C59DB0118190000A81B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000001E3602466C59DB0118190000A81B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000A11CFB456C59DB0118190000A81B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000A11CFB456C59DB0118190000A81B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6424) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000918E6D466C59DB011819000028060000E80300000100000000000000000000002B2728EBAF6AA5488796F86ECDFB395700000000000000000000000000000000
(PID) Process:(7096) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000909680466C59DB01B81B000038180000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7096) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(7096) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
Executable files
207
Suspicious files
15
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
6424msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6424msiexec.exeC:\Windows\Temp\~DFAB871429D06D9B3F.TMPbinary
MD5:903725DF5185BB3241D5CFA96535E553
SHA256:9F40A4ADE19593DCC13B0809FE6281AB94D6608E015CB89A11846A14E39BDFBD
6424msiexec.exeC:\Program Files (x86)\DLL Injector\resources\db.jsonbinary
MD5:A40C7716154F37886DDD4C622F6C77BC
SHA256:5AD42E7977EF8EC640B037A9D22C992CBA1D96C9FF4F81DA057574CC6E82049D
6424msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:BFE6504CC3EED32A237F96925BE2A6B1
SHA256:5FA7BDD0A5D28BF954E8BEDF4665C4BB9AC3D688B22782CE545C0E68FB7962A1
6424msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\DLL Injector\DLL Injector.lnkbinary
MD5:84E54137E0E6062963EFE8A082B0F7E8
SHA256:A7DC07BB9929D49FDDACB5E6226D051365CD3FE9846C1A3A34C80999A3429E11
6424msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{eb28272b-6aaf-48a5-8796-f86ecdfb3957}_OnDiskSnapshotPropbinary
MD5:BFE6504CC3EED32A237F96925BE2A6B1
SHA256:5FA7BDD0A5D28BF954E8BEDF4665C4BB9AC3D688B22782CE545C0E68FB7962A1
6424msiexec.exeC:\Windows\Installer\13a79d.msiexecutable
MD5:0592CA25CF22E8D5DAABACD1130D38F6
SHA256:3B8991F1EEBFC46988DB25FE0DED11C3C08DF81AE2CA1BAF9103BA8259CAFC99
6424msiexec.exeC:\Program Files (x86)\DLL Injector\DLL Injector.exeexecutable
MD5:C6EAEAE3CAB85586271AA8E94A1D3DE8
SHA256:C91C71046F15CC7F5DC4BB4E1E14B5A7A3329EA95954A245C47E181C808A70D2
6424msiexec.exeC:\Program Files (x86)\DLL Injector\resources\x64_DLL_Injector.exeexecutable
MD5:E69DFA19D697E916F6AFAB3089E109D4
SHA256:02DFCC045FC842D1086DE42EDC1F0536A8F942920A20EF9F5D72E68004469605
6424msiexec.exeC:\Windows\Installer\{B49406D8-4171-4801-8E93-CD18B90BD12B}\ProductIconimage
MD5:6C883B19B0AAF17CE2D5813EF2C8F86B
SHA256:A3594272B1770553332858C93BD9F91BFF9437B5B33128A9D3D252DC87C458E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
38
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4136
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6232
svchost.exe
GET
84.201.210.39:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1736024775&P2=404&P3=2&P4=AZ3LKc6tc0XzBkTWjcimB1L9cq%2fKY%2bT7kN1Zhqcqj4n1zFkDP1qJeT5NfbVppBNsKtRVAo0yEaOFa3lLmfCURg%3d%3d
unknown
whitelisted
6232
svchost.exe
HEAD
200
84.201.210.39:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1736024775&P2=404&P3=2&P4=AZ3LKc6tc0XzBkTWjcimB1L9cq%2fKY%2bT7kN1Zhqcqj4n1zFkDP1qJeT5NfbVppBNsKtRVAo0yEaOFa3lLmfCURg%3d%3d
unknown
whitelisted
6552
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4136
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 2.23.9.218
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.140
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.179
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted

Threats

PID
Process
Class
Message
6232
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DLL Injector_2.1.0_x86_en-US.msi