File name:

svcPrvinit.bin.zip

Full analysis: https://app.any.run/tasks/00136460-12f0-4f3e-b876-457564064ed6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 14:20:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

87A5C76C5E4BF86C4FC3A14BC1CE1443

SHA1:

765FC84CF424B6517C8094651FEB58D81440D177

SHA256:

875CBB59805A0925396448AF8D1D059559EF23712EBCF9E2A55166D6ED555B9A

SSDEEP:

3072:79pYomfCrU//B3agC1O+SFia5ODXaUam7GnGYsUGFvU:ZKomf/sggObFiIOLa1mKnGYRYs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 3512)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 1984)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 3380)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 1376)
      • cmd.exe (PID: 3256)
      • cmd.exe (PID: 2068)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 1892)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 3056)
      • cmd.exe (PID: 3388)

    • Actions looks like stealing of personal data

      • svcPrvinit.exe (PID: 2868)

    • Renames files like ransomware

      • svcPrvinit.exe (PID: 2868)

    • Drops the executable file immediately after the start

      • svcPrvinit.exe (PID: 2868)

  • SUSPICIOUS

    • Reads the Internet Settings

      • WMIC.exe (PID: 880)
      • WMIC.exe (PID: 3932)
      • WMIC.exe (PID: 2100)
      • WMIC.exe (PID: 3972)
      • WMIC.exe (PID: 4068)
      • WMIC.exe (PID: 3752)
      • WMIC.exe (PID: 3776)
      • WMIC.exe (PID: 4056)
      • WMIC.exe (PID: 3596)
      • WMIC.exe (PID: 3460)
      • WMIC.exe (PID: 1816)
      • WMIC.exe (PID: 2056)
      • WMIC.exe (PID: 2744)
      • WMIC.exe (PID: 824)
      • WMIC.exe (PID: 2176)
      • WMIC.exe (PID: 3104)
      • WMIC.exe (PID: 2392)
      • WMIC.exe (PID: 2904)
      • WMIC.exe (PID: 2520)

    • Write to the desktop.ini file (may be used to cloak folders)

      • svcPrvinit.exe (PID: 2868)

    • Starts CMD.EXE for commands execution

      • svcPrvinit.exe (PID: 2868)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2764)

  • INFO

    • Manual execution by a user

      • svcPrvinit.exe (PID: 2868)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3476)

    • Checks supported languages

      • svcPrvinit.exe (PID: 2868)

    • Creates files in the program directory

      • svcPrvinit.exe (PID: 2868)

    • Creates files or folders in the user directory

      • svcPrvinit.exe (PID: 2868)

    • Dropped object may contain TOR URL's

      • svcPrvinit.exe (PID: 2868)

    • Reads the computer name

      • svcPrvinit.exe (PID: 2868)

    • Reads the machine GUID from the registry

      • svcPrvinit.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2023:12:02 14:12:22
ZipCRC: 0x8b6b4ea3
ZipCompressedSize: 104854
ZipUncompressedSize: 251392
ZipFileName: svcPrvinit.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
106
Monitored processes
41
Malicious processes
20
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs svcprvinit.exe vssvc.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{086481BC-F8C2-46F4-8AC4-39E45FDFF513}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
824C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD816E64-954D-42BE-9185-4135B543186B}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
880C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2150407D-40F8-40CF-9BAF-7547594980F5}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1376cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7E0546EB-07EA-48C0-B0D5-6C3695DC9933}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1816C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7E0546EB-07EA-48C0-B0D5-6C3695DC9933}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1892cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{910CFF5C-B16C-4FA9-8646-6FB613F254E4}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1984cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F2005F8-2675-4792-8D48-24D30D4C8680}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2056C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D36354-3653-49FC-B6EA-5D1C27AE4CEF}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2068cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0F97434F-CA6C-4D75-8CF8-7A01EA0921A0}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2100C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{99345D7E-5F33-4BBB-BE04-ADE9A0C9D8B5}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
2 546
Read events
2 479
Write events
25
Delete events
42

Modification events

(PID) Process:(3476) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
9
Suspicious files
1 910
Text files
293
Unknown types
0

Dropped files

PID
Process
Filename
Type
2868svcPrvinit.exeC:\MSOCache\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
3476WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3476.31927\svcPrvinit.binexecutable
MD5:7415347D5EA5F0DB29EC95A4A61ABA90
SHA256:F2E17EC85C3F8EE26A3BE3CE52C6E140448941D705A9BDEDB7C1AA82A9D9707F
2868svcPrvinit.exeC:\ProgramData\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\MSOCache\All Users\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\Users\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\Program Files\CCleaner\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\Users\desktop.inibinary
MD5:61028E1D0C53545D33ADB40AF5DF0EEE
SHA256:D8A189F8B5D0D6F8C9F4D44FBADD873DC6AB987311AD0FDF6333AC1C31DE6D7A
2868svcPrvinit.exeC:\Program Files\FileZilla FTP Client\AUTHORSbinary
MD5:186E67715FE60FDABB9EFA46C05B96B7
SHA256:A1EF6246C297A3B115FBE3F97617371D707870CC932442F851234CD38FA482BB
2868svcPrvinit.exeC:\ProgramData\ntuser.pol.L0CK3Dbinary
MD5:FDCB03ED90C07298C5EAFADC48074663
SHA256:F5C378DBDBC0FE94ED015E34CBC33135C6355DDBE4C25CB1306094F81044357F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
265
DNS requests
0
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.181:49211
unknown
192.168.100.181:49212
unknown
2868
svcPrvinit.exe
192.168.1.2:445
unknown
192.168.100.181:49214
unknown
192.168.100.181:49215
unknown
192.168.100.181:49216
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
2868
svcPrvinit.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svcPrvinit.bin.zip