hxxp://wearedevs[.]net

Resubmissions

22/01/2025, 23:35

250122-3k3nssskhr 7

25/12/2024, 21:57

241225-1t158ayqfv 10

25/12/2024, 21:55

241225-1sr6xsyqcw 10

25/12/2024, 21:42

241225-1kqywsymhs 8

Analysis

max time kernel
100s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22/01/2025, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wearedevs.net

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	DLL Injector.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	MsiExec.exe
2496	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DLL Injector\resources\x64_DLL_Injector.exe	msiexec.exe
File created	C:\Program Files (x86)\DLL Injector\Uninstall DLL Injector.lnk	msiexec.exe
File created	C:\Program Files (x86)\DLL Injector\DLL Injector.exe	msiexec.exe
File created	C:\Program Files (x86)\DLL Injector\resources\db.json	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{B49406D8-4171-4801-8E93-CD18B90BD12B}\ProductIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF085644AD42041488.TMP	msiexec.exe
File created	C:\Windows\Installer\e588e31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e588e31.msi	msiexec.exe
File created	C:\Windows\Installer\e588e33.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF54F7E08F65754F25.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDCB44A73F9B28FE1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{B49406D8-4171-4801-8E93-CD18B90BD12B}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC079D0A0ED916476.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B49406D8-4171-4801-8E93-CD18B90BD12B}	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLL Injector.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D60494B17141084E839DC819BB01DB2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\ProductIcon = "C:\\Windows\\Installer\\{B49406D8-4171-4801-8E93-CD18B90BD12B}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\Version = "33619968"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList\PackageName = "DLL Injector_2.1.0_x86_en-US.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D60494B17141084E839DC819BB01DB2\External	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\ProductName = "DLL Injector"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D60494B17141084E839DC819BB01DB2\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D60494B17141084E839DC819BB01DB2\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\PackageCode = "BF4A845EF5680C442B9B82ADB981D0F1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C76CBC17929059569993AEA5F3C6733	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9C76CBC17929059569993AEA5F3C6733\8D60494B17141084E839DC819BB01DB2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D60494B17141084E839DC819BB01DB2\MainProgram	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 670255.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DLL Injector_2.1.0_x86_en-US.msi:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
1704	msedge.exe
1704	msedge.exe
4468	identity_helper.exe
4468	identity_helper.exe
2448	msedge.exe
2448	msedge.exe
3460	msedge.exe
3460	msedge.exe
3484	msiexec.exe
3484	msiexec.exe
4264	msedgewebview2.exe
4264	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1744	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	3484	msiexec.exe
Token: SeCreateTokenPrivilege	1712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1712	msiexec.exe
Token: SeLockMemoryPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeMachineAccountPrivilege	1712	msiexec.exe
Token: SeTcbPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	1712	msiexec.exe
Token: SeTakeOwnershipPrivilege	1712	msiexec.exe
Token: SeLoadDriverPrivilege	1712	msiexec.exe
Token: SeSystemProfilePrivilege	1712	msiexec.exe
Token: SeSystemtimePrivilege	1712	msiexec.exe
Token: SeProfSingleProcessPrivilege	1712	msiexec.exe
Token: SeIncBasePriorityPrivilege	1712	msiexec.exe
Token: SeCreatePagefilePrivilege	1712	msiexec.exe
Token: SeCreatePermanentPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1712	msiexec.exe
Token: SeRestorePrivilege	1712	msiexec.exe
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeDebugPrivilege	1712	msiexec.exe
Token: SeAuditPrivilege	1712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1712	msiexec.exe
Token: SeChangeNotifyPrivilege	1712	msiexec.exe
Token: SeRemoteShutdownPrivilege	1712	msiexec.exe
Token: SeUndockPrivilege	1712	msiexec.exe
Token: SeSyncAgentPrivilege	1712	msiexec.exe
Token: SeEnableDelegationPrivilege	1712	msiexec.exe
Token: SeManageVolumePrivilege	1712	msiexec.exe
Token: SeImpersonatePrivilege	1712	msiexec.exe
Token: SeCreateGlobalPrivilege	1712	msiexec.exe
Token: SeCreateTokenPrivilege	1712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1712	msiexec.exe
Token: SeLockMemoryPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeMachineAccountPrivilege	1712	msiexec.exe
Token: SeTcbPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	1712	msiexec.exe
Token: SeTakeOwnershipPrivilege	1712	msiexec.exe
Token: SeLoadDriverPrivilege	1712	msiexec.exe
Token: SeSystemProfilePrivilege	1712	msiexec.exe
Token: SeSystemtimePrivilege	1712	msiexec.exe
Token: SeProfSingleProcessPrivilege	1712	msiexec.exe
Token: SeIncBasePriorityPrivilege	1712	msiexec.exe
Token: SeCreatePagefilePrivilege	1712	msiexec.exe
Token: SeCreatePermanentPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1712	msiexec.exe
Token: SeRestorePrivilege	1712	msiexec.exe
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeDebugPrivilege	1712	msiexec.exe
Token: SeAuditPrivilege	1712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1712	msiexec.exe
Token: SeChangeNotifyPrivilege	1712	msiexec.exe
Token: SeRemoteShutdownPrivilege	1712	msiexec.exe
Token: SeUndockPrivilege	1712	msiexec.exe
Token: SeSyncAgentPrivilege	1712	msiexec.exe
Token: SeEnableDelegationPrivilege	1712	msiexec.exe
Token: SeManageVolumePrivilege	1712	msiexec.exe
Token: SeImpersonatePrivilege	1712	msiexec.exe
Token: SeCreateGlobalPrivilege	1712	msiexec.exe
Token: SeCreateTokenPrivilege	1712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1712	msiexec.exe
Token: SeLockMemoryPrivilege	1712	msiexec.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1712	msiexec.exe
1712	msiexec.exe
1924	DLL Injector.exe
1744	msedgewebview2.exe
1744	msedgewebview2.exe
5128	msiexec.exe
5128	msiexec.exe
1704	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4696	1704	msedge.exe	78
PID 1704 wrote to memory of 4696	1704	msedge.exe	78
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 964	1704	msedge.exe	79
PID 1704 wrote to memory of 4084	1704	msedge.exe	80
PID 1704 wrote to memory of 4084	1704	msedge.exe	80
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81
PID 1704 wrote to memory of 2348	1704	msedge.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://wearedevs.net
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fd713cb8,0x7ff8fd713cc8,0x7ff8fd713cd8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1216 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,15117829075315763923,3024521976163339063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\DLL Injector_2.1.0_x86_en-US.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EE0E6E5033F8BD1C218B7EB86D41A59E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Program Files (x86)\DLL Injector\DLL Injector.exe
    "C:\Program Files (x86)\DLL Injector\DLL Injector.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1924
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1924.2344.8680135060826643025
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:1744
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x118,0x7ff8fd713cb8,0x7ff8fd713cc8,0x7ff8fd713cd8
        5⤵
        
        PID:876
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1760,8268839906153797696,16094086373014081860,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:2
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,8268839906153797696,16094086373014081860,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1912 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1760,8268839906153797696,16094086373014081860,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2344 /prefetch:8
        5⤵
        
        PID:4624
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1760,8268839906153797696,16094086373014081860,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
        5⤵
        
        PID:5380
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1016

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\DLL Injector_2.1.0_x86_en-US.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588e32.rbs

Filesize
10KB

MD5
703aca2e77168cfadc505164d41217fe

SHA1
22d14a1c33c6d7234f02f2cde31ac64f36a4f030

SHA256
eeb37157e08e29ceefe7f3b157a42cdfab46e8c156aa43b151c9c0f33cf1900a

SHA512
68ef627f4a034b57958e83a02f7d3d1c09db4b9c6d6dfc08c9c189724b2448af7b8fe44840b5a27aecf25719f30126388fa6261f44f5e0a27c4def90df752549

Download Submit
C:\Program Files (x86)\DLL Injector\DLL Injector.exe

Filesize
5.5MB

MD5
c6eaeae3cab85586271aa8e94a1d3de8

SHA1
4b7b23bf9e9e966ffcf21e8306f31765b993ae23

SHA256
c91c71046f15cc7f5dc4bb4e1e14b5a7a3329ea95954a245c47e181c808a70d2

SHA512
6ec08f95e66ec4a00c72a5a257bcfbbacad09b8a2de4168780373e76fef6951dc0a830b2eb129799dea8dbdc30eb10bc73061aeeab4ce8074f3bb6ede9e7cc81

Download Submit
C:\Program Files (x86)\DLL Injector\resources\db.json

Filesize
71B

MD5
a40c7716154f37886ddd4c622f6c77bc

SHA1
61ae9e351b2cd8bfcbd51eda7f21879ed576795d

SHA256
5ad42e7977ef8ec640b037a9d22c992cba1d96c9ff4f81da057574cc6e82049d

SHA512
f591412bb15e06e6286944124fc0f05cd8c397807714e77954bdd9a309c633758e85105fd85a5112709de1fb9865f124c94f52ba2d85d2d2ea34e5bcf76c48c3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DLL Injector\DLL Injector.lnk

Filesize
2KB

MD5
c43aa4029fb961d26bb822764a44fca3

SHA1
3904b57f9a9e459e214fa6bb817f4a17e2b2793c

SHA256
b9b02bbf7e25b3c35c42618e1cead9d8ac83749f53455cce58e484e6722b15d4

SHA512
8d8c14855bb8effcc53d1cbd97c8ba621758521d381330899bb38b32726064d1065fecfd48734b7bc3a34c769ad9d51c58a1b7f89ba2b746b43f9e8a16b1d7e8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DLL Injector\DLL Injector.lnk~RFe588fb8.TMP

Filesize
1KB

MD5
00552c2c10079d36c09d1e42ce46025a

SHA1
3d168edb4f4943a84d5d096491eca46752c33f92

SHA256
ea8b601c8ddf88420da4aa3eefc9188284f1fbe06c74ce7cd03cc6715bd01375

SHA512
9e19d3a7a7763b336f64aec6d435c8030a8beb2f9aeb329192e2ba25a024908373c745afa2bdf32e426b8554a915e1f7047a4c4d0b84eb962ff3ad33877d3c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\08f7d6d6-7b9a-4ab5-8658-72765d71c36d.tmp

Filesize
8KB

MD5
c01bb8e0aefc03bce0f7b30a51836f66

SHA1
8e23a99a573478974e9bd18dfc865e9f4a14feec

SHA256
29482f6e69272e19bac1e944cf85f4bd45a9b7c38ea3529d157b49b6bc67aaea

SHA512
96ffcbe68807c0da941f39eb7b0687bf24e71eb614fd1015f2775e91b76a5c3ea86bf232d33cd0b404d1757b360627c7d3509d7eefb67b5ce1a7bb8e43b06772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3c047dba-8f1d-4f3f-a6e4-1caa89b9b745.tmp

Filesize
8KB

MD5
77c1f25bbbb57454a92c82678691a364

SHA1
ce59f52fc49830cf0c83472436fb28ef0708cd2f

SHA256
7240bf433295eac1772fc2c70cb1619742ffeb1b2c45bcc98ba3596fa3f67e77

SHA512
1a8f83bc7bdb3035278db8040bcb5967726eeac35517851f9ef1466cac1e2687cf1234470251b324299735e785fa166ad84acce9960b29b7b77026fe65673b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
20KB

MD5
624ad082508dc55c88873f4fddf098ff

SHA1
278156cd7edfe5b64c584b09ff72c07f240941cd

SHA256
5cd0934c61881758d2c75e8c461ddd040276f4a801a626e735b5d3369005db0e

SHA512
f500cebcf2c588bc8acb2fa115f773429bf2641554fccf84122b22792b594df967ef045edf64fe060876425bc90378e46ad282fe9b509e82dd99164a0a7529bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
92c4491336a8a7b5caebe7e0d2d5ff73

SHA1
f16a2622a2ec5b5104c9f6b16de826857b025aeb

SHA256
9ce34928a5e5ad5c7a9b75ddee4d3eee544a88a51cf963cd1d0b9f2d4a26da1b

SHA512
24f9d254b9f1e7c3f752081851c3e5b877c8060049f04b4e48b5340546f972762d7a771502a9b103de778ff4f8bf59d568fd57a4491b4d2b6e9fd4981dd319e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
05fa8425ec9c714a67d38396a49cbcd6

SHA1
61340a55d8d9d834aee13b15d9c7a43c7328a93d

SHA256
be16a3931caac4938469ff7cf616f4ab43eb97e558e0c50d51613052b5b69817

SHA512
00e1e4755090f4f8e892d6f6c2822ea46ed54bc654b751f9caffa211ede7afe64a22e3d0818e32d288310404d5c72093d71499149c913a4ad7335224ea221ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
fe6d867f7712e073e1a8ea526ed9e77e

SHA1
d928e1de5a5d133ff8ffdccb7bd7ee59db9279aa

SHA256
1cc2954e26a6240c7b1a3672473d4d44a34502a762609fe3dc2ad25e541051cf

SHA512
ec28a69ba9d0d210a5e567f2394159a3db757b018522fdb7b0d712f9a4c553958eddc94c23ce8fff4f812b189d5ec5ce826fe410149db2bd6206991c30204747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
15c048b4b9b45b6f6b45a911ace43915

SHA1
941d358de78c7346280ef9d536d81c594d53121a

SHA256
5169671aad18fbd1a9fee0fe5390a6f5b9fbabea1b4b8acb98fe20ffcd143e56

SHA512
662cc0f0261e96483c97edb3168372a23aae5752f4bfeaa9efec95c74fc5eeceb84f5c9193e587bbe4959bf9def050e892675e0d4acc183c11d5aa5442fd6573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dcc4a33aa7d1dc9a5775e2805abecc2a

SHA1
2b9f0b9778d6081f56475c7ebdf42acaa7529a3e

SHA256
1a82fd9fee8f0feb1e6410c5192c53cd2daa1fca08ad8d9fdd04e91945a7ba15

SHA512
bb41a3e31b3154adf75175fe68ca8670b85fc51a326162a595ec640e232c3b13751d0155bb1885fb9ca5739f4610df273bb51776826aea2504a067d5e5e90c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7ab4dff395d0b621be0201113a38893a

SHA1
88e0372a7553fd70819712f511a88cc62f3586f2

SHA256
f5e9cc6da99085baeead1f65c3f1093f927112edb44b67e6c82d26761c6f568d

SHA512
5665bb870cdb5133cbc7817bcd4a6c9cfa49e1f2d9d6a41aa8e0402d48fe97f91abaa6a94d1126fbb248d065077fd2f8f1ab79a7748f9af02bbea9f1b3f7ed8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae49b9a02400bb07f7b9729a63fb84b9

SHA1
a7da71a1e7d6737080bc04a9862a9b199385a9e1

SHA256
6d52dd60f9b71f3694a40b959ba61df1e460515cee26cc361039e38617e68565

SHA512
7644e8bec52900c5aad5d68f1aaa6d83a75af883aac3102c481b6d20e7f885a18a8a5a52bc51c3b701d241549df23131c2624134a82474d88beee8076fa04bc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5836ea.TMP

Filesize
872B

MD5
3669850fcf9c09485fbc09c68712ba92

SHA1
eb74a5dbbe2f058335e082d8257f007cdf55a804

SHA256
77e5272896f76764d6f72f3518ea9a33e11bd08b46b86ecb5896365d40cd8343

SHA512
2b937f87f41a1cd243e0b303b0a2617b393db38270fd394c6a0b00d431b424f278475016e6e591daff6b12fd6b795cebc2de5c18a1fa12d45aaeea82945c5fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dfbca49fd2b440e0c978eae5164800ab

SHA1
bf8d43eabf46abd51ffe774651c02c648b5b5d5a

SHA256
ce7cf93891a05445d5575473895edc9b3612d4008dca8fbed1315a9352d9813c

SHA512
a545d5a05f86fb6653616db1b89b08913c3130b4c77062a90becd9ee2c85ba8c723e7109e7277f800d1b86621fd1294207a246c3a8f3b7e821b29aeb40f0a3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ccc8e9ee064651c184b29a4b021e5a9

SHA1
10a1d23e6dc512f8d7516fc06c57086f045bf2df

SHA256
e844055098a034099398d58c4353147f9c3427e65c8ff88d686c0dd27696cc99

SHA512
4dcefff396da4ef0cdfaacea06ba8899972c25470d9750433746c4b037323fc4bad7238614b94368d7aeb3b0b429e8d8b81f12481af072a27058a6866d997a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5de40ddedd3bd90e1f8c8508ff8150c6

SHA1
82708d2a2ed6ba66ebea851d866f593c4d9a711e

SHA256
2b34ff2601530cca97735af700e8650ea854def44c70e5e84626f4043d6f1aed

SHA512
cb394dd70ce2906962cd0146db120963170eba204a9a2403a1f80afc7e9a18c18c7d23dccd8b98edff479ae5b6129c5a2940628e5d772a3ef8395ab16d50e97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5995.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA12E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
70e9c9ed2a94d874f0e1615bfd4a9ddf

SHA1
2d3f9111a7010c17dffb9691924751d335c48073

SHA256
954e854176e020ab4f51b76c46fe0e2b84b6e9e222690aea80d02cfc891661d2

SHA512
e71180ec4f11976960266657a1f1e67c8d447257053dbb46731ab007f9b2c3c7931f41e346fa3fda0b4f7f60e9dd3c418d33f5ef2a5d9f5e6fca40172e03318d

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
60d26b25d3e7127b0403b0556c59fa98

SHA1
f40ca44a57cd8e8baa0a42eb7c2627857735acd2

SHA256
e9e89a223782020c2588db1c2df1a5bc769b3247aa6b0257374a72db4fa53f20

SHA512
cd7b3cd0c24c65402ecb3c004f10989e173139be4e08fa4a4eda44ca0b21a668e0c41d914e25a33d971f1a83ab8da508bdcedb88268a753f3c4d9562ce906a95

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\net.dllinjector\EBWebView\d03f5e05-df1b-49f6-8f93-de26409f520b.tmp

Filesize
2KB

MD5
f9f5f4f368fbfbb9cd979027b7e6e3af

SHA1
b6201a78a205acb5019f271e8f76ba83a57e4a00

SHA256
5e083ec70bfb93453a07900b0a06a4a4522c2831ccf8a33832f17035fd8dace6

SHA512
e938e5e35a973590a553fec5a95f009939fed31b5c864d735f2797b7ed3b20d5c3be6e87d0682744fe038d2efc0e72be3d090dedee5e14144fb9e82b3a1620a8

Download Submit
C:\Users\Admin\Downloads\DLL Injector_2.1.0_x86_en-US.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 670255.crdownload

Filesize
2.9MB

MD5
0592ca25cf22e8d5daabacd1130d38f6

SHA1
0a59fd8723de4cb9bf6c3272a5db7771e575eff9

SHA256
3b8991f1eebfc46988db25fe0ded11c3c08df81ae2ca1baf9103ba8259cafc99

SHA512
1be2c9f7ff9fc9cab5e5a784b281585d89070413722cb4584e91d4a4b57e628643871ee672049c32a8b2399c8358f1c6d7df20af1b3c39aa9b669902b71a91cc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
9835d1a0bc69727feb0b6c097593243b

SHA1
95b3c5eacd476dc295ff1ed703205a50a5c6412c

SHA256
e7565afbaaf7f572e1105282417bb2d6380ce0b64b775da4e42966de6c5eead8

SHA512
42673b9ec3c890cce5a7937e1c81e38d727764de24c3f1e6fe19f0d921deb4eae4492a97ec66db4ad568bb4284ad0055c1bd56025cb9e21fe31f187d0861e4be

Download Submit
\??\Volume{fc95478e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c8fb756d-447f-47d7-974a-5a8a5713d51b}_OnDiskSnapshotProp

Filesize
6KB

MD5
a654df609efc0add4a8f23ef19c746ae

SHA1
e0a6dee7a98ad4e9d76cd21f9b9c61c798627d75

SHA256
3f38319ee0dbaa49f7cc4109bc9fc48eda93e0fd164d22c3d18aa85e9afa1f31

SHA512
078fa369d08b353ad0ee807d54e924aa033b71a7403af4de501dc051c0ed139214ce8e248b1f8f4659bf5698c0d87c76261e3c5d1d3813c9541ebdef336f7267

Download Submit
memory/5000-440-0x00007FF90AC10000-0x00007FF90AC11000-memory.dmp

Filesize
4KB

Download