File name:

64th_Services.exe

Full analysis: https://app.any.run/tasks/47f43a13-97fb-4223-a8a8-c8634976ade5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 01, 2025, 05:52:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
delphi
loader
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:

D8A035FCA77BC2ADD9DD28638065528F

SHA1:

AAA95A843DD7C63BF68031AD600574FBFE7E987E

SHA256:

46D0A693C5BE41846F25259D5EC44378333A420CB020B5AB88CF8D1470CC9E6B

SSDEEP:

12288:mADglXZf/URJqKlAjx5y9w2tEU9DJ4pEo7:mADglpf/URJq1jxc6cEU9DJ4p97

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Uses AES cipher (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Downloads the requested resource (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Executing a file with an untrusted certificate

      • Microsoft.ServiceHub.Controller.exe (PID: 6104)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)

    • Uses base64 encoding (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • tmp900C.exe (PID: 1128)
      • 64th_Services.exe (PID: 2716)

    • Process drops legitimate windows executable

      • tmp900C.exe (PID: 1128)

    • Reads the date of Windows installation

      • tmp900C.exe (PID: 1128)

    • Executes application which crashes

      • Microsoft.ServiceHub.Controller.exe (PID: 6104)

    • There is functionality for taking screenshot (YARA)

      • tmp900C.exe (PID: 1128)

    • Writes data into a file (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

  • INFO

    • Reads the computer name

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)
      • Microsoft.ServiceHub.Controller.exe (PID: 6104)

    • Create files in a temporary directory

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)

    • Reads the machine GUID from the registry

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)
      • Microsoft.ServiceHub.Controller.exe (PID: 6104)

    • Checks supported languages

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)
      • Microsoft.ServiceHub.Controller.exe (PID: 6104)

    • Gets data length (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Reads the software policy settings

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)
      • WerFault.exe (PID: 3648)
      • slui.exe (PID: 2792)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • 64th_Services.exe (PID: 2716)

    • Disables trace logs

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)

    • Checks proxy server information

      • 64th_Services.exe (PID: 2716)
      • tmp900C.exe (PID: 1128)
      • WerFault.exe (PID: 3648)
      • slui.exe (PID: 2792)

    • Compiled with Borland Delphi (YARA)

      • 64th_Services.exe (PID: 2716)

    • Creates files in the program directory

      • tmp900C.exe (PID: 1128)

    • Reads Environment values

      • tmp900C.exe (PID: 1128)

    • Process checks computer location settings

      • tmp900C.exe (PID: 1128)
      • 64th_Services.exe (PID: 2716)

    • Confuser has been detected (YARA)

      • tmp900C.exe (PID: 1128)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3648)

    • Uses string replace method (POWERSHELL)

      • 64th_Services.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (64.5)
.dll | Win32 Dynamic Link Library (generic) (13.6)
.exe | Win32 Executable (generic) (9.3)
.exe | Win16/32 Executable Delphi generic (4.2)
.exe | Generic Win/DOS Executable (4.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:30 21:36:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 29184
InitializedDataSize: 190976
UninitializedDataSize: -
EntryPoint: 0x900e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 6.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: what are u looking at nigga?
FileVersion: 6
InternalName: 64th Services.exe
LegalCopyright:
OriginalFileName: 64th Services.exe
ProductName: 64th Service
ProductVersion: 6
AssemblyVersion: 6.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 64th_services.exe conhost.exe no specs tmp900c.exe microsoft.servicehub.controller.exe werfault.exe slui.exe 64th_services.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1128"C:\Users\admin\AppData\Local\Temp\tmp900C.exe" C:\Users\admin\AppData\Local\Temp\tmp900C.exe
64th_Services.exe
User:
admin
Company:

Integrity Level:
HIGH
Description:

Version:
0
Modules
Images
c:\users\admin\appdata\local\temp\tmp900c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2064"C:\Users\admin\Desktop\64th_Services.exe" C:\Users\admin\Desktop\64th_Services.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
what are u looking at nigga?
Exit code:
3221226540
Version:
6
Modules
Images
c:\users\admin\desktop\64th_services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2716"C:\Users\admin\Desktop\64th_Services.exe" C:\Users\admin\Desktop\64th_Services.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
what are u looking at nigga?
Exit code:
0
Version:
6
Modules
Images
c:\users\admin\desktop\64th_services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2792C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3648C:\WINDOWS\system32\WerFault.exe -u -p 6104 -s 1252C:\Windows\System32\WerFault.exe
Microsoft.ServiceHub.Controller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
5924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe64th_Services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6104"C:\ProgramData\Microsoft.ServiceHub.Controller.exe" C:\ProgramData\Microsoft.ServiceHub.Controller.exe
tmp900C.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft.ServiceHub.Controller
Exit code:
2148734499
Version:
17.14.40366.57284
Modules
Images
c:\programdata\microsoft.servicehub.controller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
20 742
Read events
20 689
Write events
50
Delete events
3

Modification events

(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2716) 64th_Services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\64th_Services_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3648WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Servic_e39bc9f687ec272111467077f1d9ef7b86057_045ba829_7c300c70-f2f2-4dd0-bc88-a34a13ae188c\Report.wer
MD5:
SHA256:
3648WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Microsoft.ServiceHub.Controller.exe.6104.dmp
MD5:
SHA256:
271664th_Services.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yjxaabki.rp3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
271664th_Services.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ugyaznbn.3ch.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
271664th_Services.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u1simxse.ww0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
271664th_Services.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_besclxpl.zfu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1128tmp900C.exeC:\ProgramData\Microsoft.ServiceHub.Controller.exeexecutable
MD5:F747AE721DCDCBF06AEDAA75A896563E
SHA256:E34E0646332BB763BA3B6D850A329A2292130847E25FF85352F4D5D59296648F
3648WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:0CD3610F946C31EE4E8EB980D6F74226
SHA256:1FFAED3F7822C6821FBB279ABF42E5A4FA63894DDD725EAC2A5740118385AB5E
271664th_Services.exeC:\Users\admin\AppData\Local\Temp\tmp900C.exeexecutable
MD5:C0067BAC39D796CA5FCB84F60CE05168
SHA256:199E823D5C0A31BF7EFBE8D72CAA094965489D20808E773242D395550B937734
3648WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA3D1.tmp.dmpbinary
MD5:869730B66D02CD5D83F108BB61245DA7
SHA256:FFB147F411725C53EEB35F7B5F9B0BB6F994785EF5D018DDF4D7F6DC4211E9A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
28
DNS requests
12
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2228
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.3:443
https://github.com/64thservicess/UPDATELOADER/raw/refs/heads/main/64th%20Service.exe
unknown
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2228
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/64thservicess/UPDATELOADER/refs/heads/main/64th%20Service.exe
unknown
executable
13.9 Mb
whitelisted
GET
200
108.181.20.35:443
https://files.catbox.moe/ey0kfb.bin
unknown
executable
73.5 Kb
malicious
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2228
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2228
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
github.com
  • 140.82.121.3
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.108.133
whitelisted
files.catbox.moe
  • 108.181.20.35
malicious
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
prod.keyauth.com
  • 104.21.112.1
  • 104.21.64.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.16.1
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1128
tmp900C.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Process
Message
Microsoft.ServiceHub.Controller.exe
CLR: Managed code called FailFast without specifying a reason.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
64th_Services.exe