File name:

svc.exe

Full analysis: https://app.any.run/tasks/67f68374-ed94-4292-88d5-5ed972b6f96d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 19, 2025, 23:54:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

06635111468AF8497979F05CCD5BC2EA

SHA1:

C47183EA225D56B2E329D0DC9446982306A3A9B9

SHA256:

5400F3387D683CD31ED39F493893DA4107B65BE55163573BD219C749802AFE69

SSDEEP:

49152:EkZtSFGfxM1OFNqxrl+/yMtPkUM0d4tD1bxGnLg6rMD4r0U:EkZijI4+/LtMwHg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • svc.exe (PID: 1512)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • svc.exe (PID: 1512)

    • Connects to the server without a host name

      • svc.exe (PID: 1512)

    • Potential Corporate Privacy Violation

      • svc.exe (PID: 1512)

  • INFO

    • Creates files in the program directory

      • svc.exe (PID: 1512)

    • Checks supported languages

      • svc.exe (PID: 1512)

    • Checks proxy server information

      • svc.exe (PID: 1512)

    • Reads the computer name

      • svc.exe (PID: 1512)

    • Create files in a temporary directory

      • svc.exe (PID: 1512)

    • Creates files or folders in the user directory

      • svc.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:02:13 15:18:03+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 11
CodeSize: 955904
InitializedDataSize: 273408
UninitializedDataSize: -
EntryPoint: 0xd1404
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1512"C:\Users\admin\Desktop\svc.exe" C:\Users\admin\Desktop\svc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\svc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
592
Read events
589
Write events
3
Delete events
0

Modification events

(PID) Process:(1512) svc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1512) svc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1512) svc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
5
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1512svc.exeC:\ProgramData\6830FA554F652512029130\Browsers\Chrome_History.txt
MD5:
SHA256:
1512svc.exeC:\ProgramData\6830FA554F652512029130\Browsers\Chrome_Downloads.txt
MD5:
SHA256:
1512svc.exeC:\ProgramData\6830FA554F652512029130\Browsers\Edge_Downloads.txt
MD5:
SHA256:
1512svc.exeC:\ProgramData\6830FA554F652512029130\Software_Info.txttext
MD5:DDD0D6B9992364DC4CEF1A21F83CB957
SHA256:2D6DE0073E64A958C02EFC65E0E1F4A8B2F2FC91057FBB4C71FFDAE3F904AB53
1512svc.exeC:\ProgramData\6830FA554F652512029130\Screenshot.jpgbinary
MD5:C4306478EF624DE8B8E310BCC8BCB4EF
SHA256:60FD394D9960A40BBA614E6EB988065A9FD858CA975BD13CCF864012D6D199BF
1512svc.exeC:\ProgramData\6830FA554F652512029130\System_info.txttext
MD5:A9E34AAD493EE4E77CEFD7E1724E7415
SHA256:B5338D42FE7D453A2C87683FAF876DAE86FD1E7DACB08EBAD7C8D3348EBCE1D7
1512svc.exeC:\ProgramData\6830FA554F652512029130\FTP Clients\FileZilla\queue.sqlite3binary
MD5:814062819B4AEF158A726D9D50142008
SHA256:CA62AC5062DA0659D8E6FCA164A102D2D9F9EF8C4D461FCE5459560B4C30270E
1512svc.exeC:\ProgramData\6830FA554F652512029130\FTP Clients\FileZilla\layout.xmlxml
MD5:4526724CD149C14EF9D37D86F825B9F7
SHA256:138167D8F03D48E88DA0AEC3DF38F723BC1895822F75660CCCB5E994814BEE90
1512svc.exeC:\ProgramData\6830FA554F652512029130\FTP Clients\FileZilla\filezilla.xmlxml
MD5:32F683306CE4FA78157113BB9EACB51D
SHA256:16283B36975456118FBAC2A0CB0AB466C2D26E2B396DD938CDF129F2D3224570
1512svc.exeC:\ProgramData\6830FA554F652512029130.zipcompressed
MD5:10D68E82E46E423F965E7D6528F8C0F1
SHA256:AA171CF21BB360D7893C47ED48A1AC1C3BB874A322A2C2BE98E94B4601F45CEC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
18
DNS requests
7
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1512
svc.exe
POST
200
185.81.68.156:80
http://185.81.68.156/svcstealer/get.php
unknown
malicious
1512
svc.exe
POST
200
185.81.68.156:80
http://185.81.68.156/svcstealer/get.php
unknown
malicious
4308
svchost.exe
GET
200
23.48.23.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4308
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1512
svc.exe
POST
200
185.81.68.156:80
http://185.81.68.156/svcstealer/get.php
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1512
svc.exe
POST
200
185.81.68.156:80
http://185.81.68.156/svcstealer/get.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
904
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4308
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
1512
svc.exe
185.81.68.156:80
Chang Way Technologies Co. Limited
RU
malicious
4308
svchost.exe
23.48.23.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.145
  • 104.126.37.139
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.35
  • 23.48.23.11
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

PID
Process
Class
Message
1512
svc.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1512
svc.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
1512
svc.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
1512
svc.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1512
svc.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
1512
svc.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svc.exe