File name:

svchost.exe

Full analysis: https://app.any.run/tasks/c1649254-5963-40e3-9c36-33a3245f6738
Verdict: Malicious activity
Analysis date: October 01, 2024, 10:41:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

AF60B092934D41CA3BD7624AB583DEDC

SHA1:

C08846B3A14876DF4C47CA02FC534216A77FC8C1

SHA256:

D08A4639DB71636E75DE1F81002A57E11437EB89599C1A9DF1F6096D0521092B

SSDEEP:

98304:y6CGlR/z0gav7QOxEtQPxYVvTY4yG2aSceq1rE2EKKUTpZGAbW+qF7Lo1yVrGFS7:3Wr819S2/VNmzvdrZyqm4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • svchost.exe (PID: 5756)

    • Application launched itself

      • svchost.exe (PID: 5756)

    • Connects to unusual port

      • svchost.exe (PID: 2376)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 5756)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2376)

    • Process drops python dynamic module

      • svchost.exe (PID: 5756)

    • Checks for external IP

      • svchost.exe (PID: 2376)

    • Uses WMIC.EXE to obtain BIOS management information

      • svchost.exe (PID: 2376)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2376)

    • Process drops legitimate windows executable

      • svchost.exe (PID: 5756)

  • INFO

    • Checks supported languages

      • svchost.exe (PID: 2376)
      • svchost.exe (PID: 5756)

    • Reads the computer name

      • svchost.exe (PID: 2376)
      • svchost.exe (PID: 5756)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1932)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 2376)

    • Create files in a temporary directory

      • svchost.exe (PID: 5756)

    • Checks operating system version

      • svchost.exe (PID: 2376)

    • PyInstaller has been detected (YARA)

      • svchost.exe (PID: 5756)
      • svchost.exe (PID: 2376)

    • Checks proxy server information

      • svchost.exe (PID: 2376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:18 09:13:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 97792
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT svchost.exe THREAT svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1932wmic bios get serialnumberC:\Windows\System32\wbem\WMIC.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1940C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5756"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
659
Read events
659
Write events
0
Delete events
0

Modification events

No data
Executable files
77
Suspicious files
41
Text files
923
Unknown types
0

Dropped files

PID
Process
Filename
Type
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_lzma.pydexecutable
MD5:4C5CFED3C8DB569C24E2CFD972D23D24
SHA256:4496A6299623B0D46342DBF06AFC779539BD96030CBCBBD824CCED9781755DB5
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_socket.pydexecutable
MD5:52CC764E93CBA6835E07AF2DAA846510
SHA256:46330CAA0EF439DC9AF9BEF778D5C742DACAE3D61D41602BB3E245B62C29B350
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_tcl_data\encoding\ascii.enctext
MD5:68D69C53B4A9F0AABD60646CA7E06DAE
SHA256:294C97175FD0894093B866E73548AE660AEED0C3CC1E73867EB66E52D34C0DD2
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_ctypes.pydexecutable
MD5:F3EE671A420E2B57AFB685B6451B0A3E
SHA256:87A96B342CAAC2988BEADC99FBCB0E800111F403E46876F091CD39E03337A7E2
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\VCRUNTIME140_1.dllexecutable
MD5:2BD576CBC5CB712935EB1B10E4D312F5
SHA256:7DD9AA02E271C68CA6D5F18D651D23A15D7259715AF43326578F7DDE27F37637
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_sqlite3.pydexecutable
MD5:0AC54436AE951641E5CD9300A98C726B
SHA256:DBC5F0C1703237E8FECD134B333A3FE3CF50B4E6F259D96CFA19E02074467101
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_ssl.pydexecutable
MD5:627A79C1169FDDA36A52E5840F030123
SHA256:E666EE17A604CA4078584934554A777C11C0F5ACC07CF9D09028437C6382828D
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_hashlib.pydexecutable
MD5:06DC5B546FC6EFE4EAA9C857E6BA1E65
SHA256:2CE608685C5739BAE33C14B34BC08E2840BEB746F426D68614FA22CC725DF35A
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\LIBBZ2.dllexecutable
MD5:71E7C0F84D0A3D8EE0FFBDB60A36E504
SHA256:25A4AAE35DD89709620106DB311AF5BCA7C868182B961E106A895AE14D2FC98A
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_overlapped.pydexecutable
MD5:FE68B39BCB75047391FDBB5A8AD472FF
SHA256:1BCAE6235A765D6D61C723950B752FB8D619579763952267BA092D436993480A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
121
DNS requests
81
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2912
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6244
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5212
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/monitor/window
unknown
unknown
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/monitor/keystroke
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5212
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5212
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2912
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2376
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
12 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svchost.exe