File name:

svchost015.exe

Full analysis: https://app.any.run/tasks/c724589a-48eb-49d3-9f77-245c64ec5643
Verdict: Malicious activity
Analysis date: March 22, 2025, 14:30:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

B826DD92D78EA2526E465A34324EBEEA

SHA1:

BF8A0093ACFD2EB93C102E1A5745FB080575372E

SHA256:

7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B

SSDEEP:

98304:P6XYFpcyQzwzuskMZHWQ2a6Ph7XFElC02AopEODzwhmtX2Bj:eOh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • svchost015.exe (PID: 7404)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • The sample compiled with english language support

      • svchost015.exe (PID: 7404)

    • Checks supported languages

      • svchost015.exe (PID: 7404)

    • Reads the computer name

      • svchost015.exe (PID: 7404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (39.3)
.exe | Win32 EXE PECompact compressed (generic) (38)
.exe | Win32 Executable Delphi generic (12.9)
.exe | Win32 Executable (generic) (4.1)
.exe | Win16/32 Executable Delphi generic (1.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:04:19 12:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2335744
InitializedDataSize: 754688
UninitializedDataSize: -
EntryPoint: 0x23b26c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 21.1.0.0
ProductVersionNumber: 21.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: X-Ways Software Technology AG
FileDescription: WinHex
FileVersion: 21.1
InternalName: WINHEX
LegalCopyright: © Stefan Fleischmann, X-Ways Software Technology AG 1995-2024
OriginalFileName: WINHEX.EXE
ProductName: WinHex
ProductVersion: 21.1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost015.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7404"C:\Users\admin\Desktop\svchost015.exe" C:\Users\admin\Desktop\svchost015.exeexplorer.exe
User:
admin
Company:
X-Ways Software Technology AG
Integrity Level:
MEDIUM
Description:
WinHex
Exit code:
0
Version:
21.1
Modules
Images
c:\users\admin\desktop\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7464C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7496"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
145
Read events
145
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7852
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2320
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2320
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
20.197.71.89:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7852
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7852
backgroundTaskHost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 20.197.71.89
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.128
  • 20.190.160.4
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.2
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 23.209.214.100
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svchost015.exe