File name:

svcr.exe

Full analysis: https://app.any.run/tasks/343a4871-4c1c-4c2f-869c-4aa287a7a350
Verdict: Malicious activity
Analysis date: November 30, 2024, 16:20:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

DD3CF21109E5F5A5403598CC0FE8A3C4

SHA1:

A9B64DBE823C9931C59A478FBC599A39FFAACE17

SHA256:

6EFD0D13D1E3AE055C806A74184600333A926119083159BCE61D7A1489230830

SSDEEP:

98304:c8xvovX0DjBRFAK9oPjvWKYy1uqdEmxbOegAoNHT1HRnUhNOSMZ/6UOoWbuPDgVt:TF4mF4z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6404)
      • cmd.exe (PID: 6756)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • svcr.exe (PID: 6256)
      • cmd.exe (PID: 6456)
      • svcr.exe (PID: 6608)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 6872)

    • Application launched itself

      • svcr.exe (PID: 6608)

    • Reads security settings of Internet Explorer

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)

    • Executing commands from a ".bat" file

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 6520)
      • schtasks.exe (PID: 6816)

    • Starts CMD.EXE for commands execution

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 6872)

    • Executes application which crashes

      • svcr.exe (PID: 6636)

  • INFO

    • Creates files or folders in the user directory

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)
      • WerFault.exe (PID: 6932)

    • Checks supported languages

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)
      • chcp.com (PID: 6560)
      • svcr.exe (PID: 6636)
      • chcp.com (PID: 6964)

    • Reads the computer name

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)
      • svcr.exe (PID: 6636)

    • Create files in a temporary directory

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)

    • Process checks computer location settings

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 6872)

    • The process uses the downloaded file

      • svcr.exe (PID: 6256)
      • svcr.exe (PID: 6608)

    • Checks proxy server information

      • WerFault.exe (PID: 6932)

    • Reads the software policy settings

      • WerFault.exe (PID: 6932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:01:06 11:06:39+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 31232
InitializedDataSize: 2359808
UninitializedDataSize: -
EntryPoint: 0x3b43
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.3.14.5
ProductVersionNumber: 3.3.14.5
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: JWTS
FileDescription: Application Runtime
FileVersion: 3, 3, 14, 5
InternalName: svcr.exe
LegalCopyright: JWTS
OriginalFileName: svcr.exe
ProductName: Application Runtime
ProductVersion: 3, 3, 14, 5
Comments: Modified by an unpaid evaluation copy of Resource Tuner 2. http://www.heaventools.com
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
22
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svcr.exe cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs chcp.com no specs schtasks.exe no specs svcr.exe timeout.exe no specs svcr.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs werfault.exe chcp.com no specs timeout.exe no specs rundll32.exe no specs Shell Security Editor no specs

Process information

PID
CMD
Path
Indicators
Parent process
6256"C:\Users\admin\Desktop\svcr.exe" C:\Users\admin\Desktop\svcr.exe
explorer.exe
User:
admin
Company:
JWTS
Integrity Level:
MEDIUM
Description:
Application Runtime
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\desktop\svcr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6404C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\zbe20241130162053443.bat" "C:\Windows\SysWOW64\cmd.exesvcr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6456C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\zb20241130162053443.bat" "C:\Windows\SysWOW64\cmd.exe
svcr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6520Schtasks.Exe /delete /tn "Maintenance" /fC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6560chcp 1251C:\Windows\SysWOW64\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6568Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\admin\AppData\Local\Temp\zx20241130162053443.xml"C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6608"C:\Users\admin\Desktop\svcr.exe" C:\Users\admin\Desktop\svcr.exe
cmd.exe
User:
admin
Company:
JWTS
Integrity Level:
MEDIUM
Description:
Application Runtime
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\desktop\svcr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6616timeout /t 3 /nobreakC:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 216
Read events
4 216
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
6
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6608svcr.exeC:\Users\admin\AppData\Local\Temp\ze20241130162054224.tmp
MD5:
SHA256:
6932WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svcr.exe_17e5b93dba2d72b76e8812c9dcd187ee46081ba_a5e875c4_da26afab-435c-4908-aae6-51e1de9b53f5\Report.wer
MD5:
SHA256:
6872cmd.exeC:\Users\admin\Desktop\svcr.exe
MD5:
SHA256:
6456cmd.exeC:\Users\admin\Desktop\svcr.exeexecutable
MD5:0FD5988D73BE758A9370D24FAD6A5A63
SHA256:D0AB1702AFB7F73FDE9ABEFA5F5CABD391DA572344A6139A52E3BA8EA3D3B9EE
6256svcr.exeC:\Users\admin\AppData\Local\Temp\ze20241130162053443.tmpexecutable
MD5:0FD5988D73BE758A9370D24FAD6A5A63
SHA256:D0AB1702AFB7F73FDE9ABEFA5F5CABD391DA572344A6139A52E3BA8EA3D3B9EE
6256svcr.exeC:\Users\admin\AppData\Local\Temp\zx20241130162053443.xmlxml
MD5:D7DD0B620DD974A48117E68C4DFC2956
SHA256:2977AC33FC734A13E5B7D7549C449CF64404E831ED79348EE9E1C72C54AD46E0
6256svcr.exeC:\Users\admin\AppData\Local\Temp\zbe20241130162053443.battext
MD5:0361BBDAE52EF921B8080BBC0DD516EA
SHA256:E4463F509DBE33500B5E57E3351E80F81704CD2597F872D1BBF9AFD754C81555
6932WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
6932WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:2A67D0CADC3FE4F5EBD91398C3B765E5
SHA256:347911278A3466648FEA493FBAAB6A0B54551AAEA097007A5148F796A18056F7
6932WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5DC4.tmp.WERInternalMetadata.xmlxml
MD5:9976F466728B75C8E3C1D232A615DB2A
SHA256:A187F255797B3D34483CF3DA8AA40AD0344E884D90234B192378B46D8A42708A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
36
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6932
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
6932
WerFault.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
6176
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
1064
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
6176
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
720
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.136:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 104.126.37.136
  • 104.126.37.153
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.129
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svcr.exe