File name:

services.exe

Full analysis: https://app.any.run/tasks/4b6aa5ef-8bea-49d4-be67-83545e31cfbe
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 08, 2026, 07:44:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
babylon
rat
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

C35E5936814A357332E903CF4683217D

SHA1:

19BD3AC8C23869C6124E17DAD4006FC05E999D30

SHA256:

60AFDD784796754F4C91BDD26B72157CC62692FA7134BC91BEE694FBB2B0E057

SSDEEP:

12288:Od1HbEyfeRvfQF9y31GVpQdZbePtgwWV6AQSXP9yWvbjgUAovQ:Od1HbEyfeRvIFA3yQdNe1dzAQ2P9yWvh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • services.exe (PID: 5196)
      • services.exe (PID: 4316)
      • services.exe (PID: 2684)

    • BABYLON has been detected (YARA)

      • services.exe (PID: 4316)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • services.exe (PID: 5196)

    • Starts itself from another location

      • services.exe (PID: 5196)

    • The process creates files with name similar to system file names

      • services.exe (PID: 5196)

    • The process executes files with name similar to system file names

      • services.exe (PID: 5196)

  • INFO

    • Reads the computer name

      • services.exe (PID: 5196)
      • services.exe (PID: 4316)
      • services.exe (PID: 2684)

    • Launching a file from a Registry key

      • services.exe (PID: 5196)
      • services.exe (PID: 4316)
      • services.exe (PID: 2684)

    • Checks supported languages

      • services.exe (PID: 5196)
      • services.exe (PID: 4316)
      • services.exe (PID: 2684)

    • Manual execution by a user

      • services.exe (PID: 2684)

    • UPX packer has been detected

      • services.exe (PID: 4316)

    • There is functionality for taking screenshot (YARA)

      • services.exe (PID: 4316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:31 21:07:17+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 364544
InitializedDataSize: 4096
UninitializedDataSize: 446464
EntryPoint: 0xc60f0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start services.exe #BABYLON services.exe services.exe

Process information

PID
CMD
Path
Indicators
Parent process
2684C:\ProgramData\setup\services.exeC:\ProgramData\setup\services.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\programdata\setup\services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4316"C:\ProgramData\setup\services.exe"C:\ProgramData\setup\services.exe
services.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\setup\services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5196"C:\Users\admin\Desktop\services.exe" C:\Users\admin\Desktop\services.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
436
Read events
433
Write events
3
Delete events
0

Modification events

(PID) Process:(5196) services.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:99sasprosnowmeprona
Value:
C:\ProgramData\setup\services.exe
(PID) Process:(4316) services.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:99sasprosnowmeprona
Value:
C:\ProgramData\setup\services.exe
(PID) Process:(2684) services.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:99sasprosnowmeprona
Value:
C:\ProgramData\setup\services.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5196services.exeC:\ProgramData\setup\services.exeexecutable
MD5:C35E5936814A357332E903CF4683217D
SHA256:60AFDD784796754F4C91BDD26B72157CC62692FA7134BC91BEE694FBB2B0E057
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
26
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
2812
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5316
svchost.exe
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
922 b
whitelisted
2812
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
2812
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
2812
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5316
svchost.exe
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
8000
svchost.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8000
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.19.122.67:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4316
services.exe
198.252.111.4:20000
services.in.net
HAWKHOST
CA
unknown
3428
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 2.19.122.67
  • 2.19.122.58
  • 2.19.122.56
  • 2.19.122.64
  • 2.19.122.63
  • 2.19.122.59
  • 2.19.122.60
  • 2.19.122.61
  • 2.19.122.65
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 142.251.20.138
  • 142.251.20.101
  • 142.251.20.139
  • 142.251.20.100
  • 142.251.20.102
  • 142.251.20.113
whitelisted
services.in.net
  • 198.252.111.4
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.130
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.36
  • 23.216.77.25
whitelisted

Threats

PID
Process
Class
Message
8000
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
services.exe