File name:

injection.exe

Full analysis: https://app.any.run/tasks/f0ab3903-190d-497b-824c-3f73e3c397d4
Verdict: Malicious activity
Analysis date: April 02, 2025, 12:15:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

9D3F9662E05462F68F02AEFBF15D086B

SHA1:

D1B6FCFEC688E360EE14440A0F5FD065305DCAD5

SHA256:

942AF58C8AB30F11DF6E4AA7D64E02F4E7619602D1FD887F995D2D1288C1945C

SSDEEP:

12288:jiagAjUAoL/oWsA6pKBaU1gIpfJ4ng0yewch+x+:ea9jUAOs/plcgIpfCng0yeh+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 7212)

    • Adds path to the Windows Defender exclusion list

      • injection.exe (PID: 7664)

    • Changes Windows Defender settings

      • injection.exe (PID: 7664)

    • Changes powershell execution policy (Bypass)

      • injection.exe (PID: 7664)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 7280)

    • Adds process to the Windows Defender exclusion list

      • injection.exe (PID: 7664)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • injection.exe (PID: 4380)
      • injection.exe (PID: 7664)

    • Reads security settings of Internet Explorer

      • injection.exe (PID: 4380)
      • injection.exe (PID: 7664)
      • wlanext.exe (PID: 7424)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • injection.exe (PID: 4380)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7472)
      • mshta.exe (PID: 7796)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7472)
      • injection.exe (PID: 7664)

    • The executable file from the user directory is run by the CMD process

      • injection.exe (PID: 7664)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8108)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 7796)

    • Script adds exclusion path to Windows Defender

      • injection.exe (PID: 7664)

    • Starts POWERSHELL.EXE for commands execution

      • injection.exe (PID: 7664)

    • Script adds exclusion process to Windows Defender

      • injection.exe (PID: 7664)

    • The process executes via Task Scheduler

      • wlanext.exe (PID: 7424)

    • Executing commands from a ".bat" file

      • injection.exe (PID: 7664)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7416)

    • Process drops legitimate windows executable

      • wlanext.exe (PID: 7424)

    • The process creates files with name similar to system file names

      • wlanext.exe (PID: 7424)

    • Executable content was dropped or overwritten

      • wlanext.exe (PID: 7424)
      • injection.exe (PID: 7664)

  • INFO

    • Reads the machine GUID from the registry

      • injection.exe (PID: 4380)
      • wlanext.exe (PID: 7424)

    • Reads the computer name

      • injection.exe (PID: 4380)
      • injection.exe (PID: 7664)
      • wlanext.exe (PID: 7424)

    • Process checks computer location settings

      • injection.exe (PID: 4380)
      • injection.exe (PID: 7664)

    • Checks supported languages

      • injection.exe (PID: 4380)
      • injection.exe (PID: 7664)
      • wlanext.exe (PID: 7424)

    • Disables trace logs

      • cmstp.exe (PID: 5428)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 5428)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7472)
      • mshta.exe (PID: 7796)

    • Creates files in the program directory

      • dllhost.exe (PID: 7212)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 7280)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7280)
      • powershell.exe (PID: 4724)

    • The sample compiled with english language support

      • wlanext.exe (PID: 7424)

    • Create files in a temporary directory

      • injection.exe (PID: 7664)

    • Creates files or folders in the user directory

      • injection.exe (PID: 7664)
      • wlanext.exe (PID: 7424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:02 12:14:55+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 428032
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x6a7e2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: injection.exe
LegalCopyright:
OriginalFileName: injection.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
22
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start injection.exe no specs cmstp.exe no specs CMSTPLUA sppextcomobj.exe no specs slui.exe no specs mshta.exe no specs cmd.exe no specs conhost.exe no specs injection.exe mshta.exe no specs taskkill.exe no specs conhost.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wlanext.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4380"C:\Users\admin\AppData\Local\Temp\injection.exe" C:\Users\admin\AppData\Local\Temp\injection.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\injection.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4724"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\wlanext.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeinjection.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5428"C:\WINDOWS\system32\cmstp.exe" /au C:\WINDOWS\temp\3dgkeh02.infC:\Windows\System32\cmstp.exeinjection.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
1
Version:
7.2.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7212C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7280"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeinjection.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
7292C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7324"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7416C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp30A.tmp.bat""C:\Windows\System32\cmd.exeinjection.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
14 718
Read events
14 657
Write events
61
Delete events
0

Modification events

(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5428) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7212) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(5428) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(7212) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
3
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_trur4zhg.ggr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4380injection.exeC:\Windows\Temp\3dgkeh02.inftext
MD5:301D2BC1EFE9CD41C9426E4FEA874714
SHA256:75946AEF0DDA3338C1E388AAF184D57D01F8E3AEFBCB87CD13EEAE9530A4A6EA
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_llni3ts5.a5b.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7664injection.exeC:\Users\admin\AppData\Roaming\wlanext.exeexecutable
MD5:9D3F9662E05462F68F02AEFBF15D086B
SHA256:942AF58C8AB30F11DF6E4AA7D64E02F4E7619602D1FD887F995D2D1288C1945C
7664injection.exeC:\Users\admin\AppData\Local\Temp\tmp30A.tmp.battext
MD5:E3AF772A757BFA7F44F72A3C07147500
SHA256:0E8FEA02E3803691ED907CF3D2D450427B075C0B6467798ED28ED877293D0331
7424wlanext.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:D178119D8DE4E18B05C3DEFB22B6D3CC
SHA256:8456099DEB994F309FDE890E4F0E571A0A67F9B7DD079516905175CD1500FA52
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_20rs54ql.002.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bechg3bl.lse.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4724powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:C94CB3C24F3A76A2D321F13AC7143D33
SHA256:AF62C050FA09843D0F1E99BCD64C2906159EEAAE471F02AB931B8C10F0059336
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.172.255.218:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.173
whitelisted
client.wns.windows.com
  • 172.172.255.218
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.3
  • 20.190.160.2
  • 40.126.32.136
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
injection.exe