File name:

svchost.exe

Full analysis: https://app.any.run/tasks/c1649254-5963-40e3-9c36-33a3245f6738
Verdict: Malicious activity
Analysis date: October 01, 2024, 10:41:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

AF60B092934D41CA3BD7624AB583DEDC

SHA1:

C08846B3A14876DF4C47CA02FC534216A77FC8C1

SHA256:

D08A4639DB71636E75DE1F81002A57E11437EB89599C1A9DF1F6096D0521092B

SSDEEP:

98304:y6CGlR/z0gav7QOxEtQPxYVvTY4yG2aSceq1rE2EKKUTpZGAbW+qF7Lo1yVrGFS7:3Wr819S2/VNmzvdrZyqm4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • svchost.exe (PID: 5756)

    • Process drops python dynamic module

      • svchost.exe (PID: 5756)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2376)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 5756)

    • Uses WMIC.EXE to obtain BIOS management information

      • svchost.exe (PID: 2376)

    • The process drops C-runtime libraries

      • svchost.exe (PID: 5756)

    • Application launched itself

      • svchost.exe (PID: 5756)

    • Checks for external IP

      • svchost.exe (PID: 2376)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2376)

    • Connects to unusual port

      • svchost.exe (PID: 2376)

  • INFO

    • Checks supported languages

      • svchost.exe (PID: 5756)
      • svchost.exe (PID: 2376)

    • PyInstaller has been detected (YARA)

      • svchost.exe (PID: 2376)
      • svchost.exe (PID: 5756)

    • Checks operating system version

      • svchost.exe (PID: 2376)

    • Reads the computer name

      • svchost.exe (PID: 5756)
      • svchost.exe (PID: 2376)

    • Create files in a temporary directory

      • svchost.exe (PID: 5756)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1932)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 2376)

    • Checks proxy server information

      • svchost.exe (PID: 2376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:18 09:13:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 97792
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT svchost.exe THREAT svchost.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1932wmic bios get serialnumberC:\Windows\System32\wbem\WMIC.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1940C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5756"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
659
Read events
659
Write events
0
Delete events
0

Modification events

No data
Executable files
77
Suspicious files
41
Text files
923
Unknown types
0

Dropped files

PID
Process
Filename
Type
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_ctypes.pydexecutable
MD5:F3EE671A420E2B57AFB685B6451B0A3E
SHA256:87A96B342CAAC2988BEADC99FBCB0E800111F403E46876F091CD39E03337A7E2
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\VCRUNTIME140.dllexecutable
MD5:CAF9EDDED91C1F6C0022B278C16679AA
SHA256:02C6AA0E6E624411A9F19B0360A7865AB15908E26024510E5C38A9C08362C35A
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\LIBBZ2.dllexecutable
MD5:71E7C0F84D0A3D8EE0FFBDB60A36E504
SHA256:25A4AAE35DD89709620106DB311AF5BCA7C868182B961E106A895AE14D2FC98A
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_tcl_data\clock.tcltext
MD5:43123C6414E52C890C34B98DAE04C631
SHA256:08D61E36BB536AA02FDA040ABEAD556A862018EF9A7B465F1063A973D8DA3AF0
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_sqlite3.pydexecutable
MD5:0AC54436AE951641E5CD9300A98C726B
SHA256:DBC5F0C1703237E8FECD134B333A3FE3CF50B4E6F259D96CFA19E02074467101
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_tcl_data\encoding\big5.enctext
MD5:9E67816F304FA1A8E20D2270B3A53364
SHA256:465AE2D4880B8006B1476CD60FACF676875438244C1D93A7DBE4CDE1035E745F
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_hashlib.pydexecutable
MD5:06DC5B546FC6EFE4EAA9C857E6BA1E65
SHA256:2CE608685C5739BAE33C14B34BC08E2840BEB746F426D68614FA22CC725DF35A
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_tcl_data\encoding\ascii.enctext
MD5:68D69C53B4A9F0AABD60646CA7E06DAE
SHA256:294C97175FD0894093B866E73548AE660AEED0C3CC1E73867EB66E52D34C0DD2
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_lzma.pydexecutable
MD5:4C5CFED3C8DB569C24E2CFD972D23D24
SHA256:4496A6299623B0D46342DBF06AFC779539BD96030CBCBBD824CCED9781755DB5
5756svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI57562\_decimal.pydexecutable
MD5:D22E8F667F6815594DC86E98CCE465EB
SHA256:EE4A75591590297E58B9FEA3BDE683FA5C2FBCC7B15EED3B3B7CDF4BFF559F57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
121
DNS requests
81
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/monitor/window
unknown
unknown
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/monitor/window
unknown
unknown
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/monitor/keystroke
unknown
unknown
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/monitor/window
unknown
unknown
5212
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2912
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6604
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2376
svchost.exe
POST
200
95.216.251.178:9120
http://95.216.251.178:9120/api/v1/user
unknown
unknown
6244
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5212
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5212
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2912
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2376
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
12 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svchost.exe