File name:

injector.exe

Full analysis: https://app.any.run/tasks/1dc11bf8-a187-4432-aac1-de0504daa990
Verdict: Malicious activity
Analysis date: June 16, 2025, 03:23:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
iqvw64e-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

15FA4864C56C1BC724F1098ABA8F08FB

SHA1:

FAAD863BFDE036AC3EA9C65090FCDF8716D8147C

SHA256:

3DE2E86DDE2444292306215C1082423E8CE8F99F5BF6E036DFB07AC32570C993

SSDEEP:

6144:oG0Sx4x1VJswRYC8baxFIl+DJQATVbohyDOJh67V4CWWlI+8NyxNX2NnRI/dJ:Wi44wRrEl+DJLdonaz1mNRiT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • Gxr2C.exe (PID: 4680)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • injector.exe (PID: 3652)

    • Starts CMD.EXE for commands execution

      • injector.exe (PID: 3652)

    • Reads security settings of Internet Explorer

      • injector.exe (PID: 3652)

    • Executable content was dropped or overwritten

      • injector.exe (PID: 3652)
      • Gxr2C.exe (PID: 4680)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2320)

    • Application launched itself

      • updater.exe (PID: 2320)

    • Reads the date of Windows installation

      • injector.exe (PID: 3652)

    • Creates or modifies Windows services

      • Gxr2C.exe (PID: 4680)

  • INFO

    • Checks supported languages

      • injector.exe (PID: 3652)
      • updater.exe (PID: 2320)
      • updater.exe (PID: 1896)
      • Gxr2C.exe (PID: 4680)

    • Reads the computer name

      • updater.exe (PID: 2320)
      • injector.exe (PID: 3652)

    • Reads the machine GUID from the registry

      • injector.exe (PID: 3652)

    • Process checks computer location settings

      • injector.exe (PID: 3652)

    • Create files in a temporary directory

      • Gxr2C.exe (PID: 4680)

    • Reads the software policy settings

      • slui.exe (PID: 2536)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2320)

    • The sample compiled with english language support

      • Gxr2C.exe (PID: 4680)

    • Checks proxy server information

      • slui.exe (PID: 2536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2022:05:26 22:39:31+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.31
CodeSize: 212480
InitializedDataSize: 313344
UninitializedDataSize: -
EntryPoint: 0x10ab8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start injector.exe conhost.exe cmd.exe no specs cmd.exe no specs THREAT gxr2c.exe conhost.exe no specs slui.exe updater.exe no specs updater.exe no specs injector.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe
injector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1896"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2044C:\WINDOWS\system32\cmd.exe /c color 9C:\Windows\System32\cmd.exeinjector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2320"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2536C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3652"C:\Users\admin\Desktop\injector.exe" C:\Users\admin\Desktop\injector.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\injector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3720C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeinjector.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4680"C:\WINDOWS\SoftwareDistribution\Download\Gxr2C.exe" C:\Windows\SoftwareDistribution\Download\Gxr2C.exe
injector.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\softwaredistribution\download\gxr2c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6652"C:\Users\admin\Desktop\injector.exe" C:\Users\admin\Desktop\injector.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\injector.exe
c:\windows\system32\ntdll.dll
6960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeGxr2C.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 814
Read events
3 811
Write events
2
Delete events
1

Modification events

(PID) Process:(4680) Gxr2C.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iwnCSKUCEsobqwqEyNmp
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\iwnCSKUCEsobqwqEyNmp
(PID) Process:(4680) Gxr2C.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iwnCSKUCEsobqwqEyNmp
Operation:writeName:Type
Value:
1
(PID) Process:(4680) Gxr2C.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iwnCSKUCEsobqwqEyNmp
Operation:delete keyName:(default)
Value:
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3652injector.exeC:\Windows\SoftwareDistribution\Download\Gxr2C.exeexecutable
MD5:9886A738E05F8A8FE04E9D0C81CC0909
SHA256:ABF99BD1D851C4C7015B999E81FB080E7E1147973E6A3A77C8BA7895CC8ABBB6
4680Gxr2C.exeC:\Users\admin\AppData\Local\Temp\iwnCSKUCEsobqwqEyNmpexecutable
MD5:1898CEDA3247213C084F43637EF163B3
SHA256:4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
1896updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:8D7349CD19A4437D12B4433634682E09
SHA256:DC7018DBE16649CBC3D9AAE898EF8139D6E382E99F019EEB7F792F496945A48A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6368
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6368
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6368
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6368
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted

Threats

No threats detected
Process
Message
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
conhost.exe
CONSRV: Ignoring backspace to previous line
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
injector.exe