File name:

dllhost.exe

Full analysis: https://app.any.run/tasks/8d33d9bb-95c0-417a-ae8f-9a9487f7020c
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 28, 2025, 22:51:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
auto-sch
rat
remcos
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

2D7B3F146B76E8E1145BDEBBAD843239

SHA1:

7EB6BC1319EFFAE89BECECA198B75ECC5FE98057

SHA256:

7E679F4E9CC6296684C2A723C5A5484249E63CC42B716EE5C9F1AD79F3F7B350

SSDEEP:

49152:3S1xQ9CEVRJqhnEfHVZtzlOgcPwH5fQmRNElRqe3nxm/NO6TNwK:3wQ9CEVChENL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • dllhost.exe (PID: 6640)

    • REMCOS has been detected

      • SndVol.exe (PID: 5576)

    • REMCOS has been detected (YARA)

      • SndVol.exe (PID: 5576)

    • REMCOS mutex has been found

      • SndVol.exe (PID: 5576)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5352)

  • SUSPICIOUS

    • Likely accesses (executes) a file from the Public directory

      • esentutl.exe (PID: 1228)
      • alpha.pif (PID: 4408)
      • alpha.pif (PID: 6620)

    • Starts CMD.EXE for commands execution

      • dllhost.exe (PID: 6640)

    • Drops a file with a rarely used extension (PIF)

      • esentutl.exe (PID: 1228)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5608)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 6620)
      • alpha.pif (PID: 4408)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6640)

    • Executing commands from ".cmd" file

      • dllhost.exe (PID: 6640)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 1228)
      • dllhost.exe (PID: 6640)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6036)

    • Starts itself from another location

      • cmd.exe (PID: 6036)

    • Created directory related to system

      • alpha.pif (PID: 6620)

    • Connects to unusual port

      • SndVol.exe (PID: 5576)

    • There is functionality for taking screenshot (YARA)

      • SndVol.exe (PID: 5576)
      • dllhost.exe (PID: 6640)

  • INFO

    • Creates files in the program directory

      • dllhost.exe (PID: 6640)

    • Checks proxy server information

      • dllhost.exe (PID: 6640)

    • Reads the computer name

      • dllhost.exe (PID: 6640)

    • Reads the software policy settings

      • dllhost.exe (PID: 6640)

    • Checks supported languages

      • dllhost.exe (PID: 6640)
      • alpha.pif (PID: 6620)
      • alpha.pif (PID: 4408)

    • The sample compiled with english language support

      • esentutl.exe (PID: 1228)

    • Compiled with Borland Delphi (YARA)

      • dllhost.exe (PID: 6640)

    • Launch of the file from Task Scheduler

      • cmd.exe (PID: 5352)

    • Reads the machine GUID from the registry

      • dllhost.exe (PID: 6640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 398848
InitializedDataSize: 523264
UninitializedDataSize: -
EntryPoint: 0x627c8
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
14
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #GENERIC dllhost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #REMCOS sndvol.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o C:\Windows\SysWOW64\esentutl.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4408C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5156ping 127.0.0.1 -n 10 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5352C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\11.cmdC:\Windows\SysWOW64\cmd.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5576C:\Windows\System32\SndVol.exeC:\Windows\SysWOW64\SndVol.exe
dllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Volume Mixer
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sndvol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
5608C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\30196.cmdC:\Windows\SysWOW64\cmd.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 389
Read events
1 385
Write events
4
Delete events
0

Modification events

(PID) Process:(5576) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\chrome-HXVMEL
Operation:writeName:exepath
Value:
90AA7CD93C868BCB18D752450340F3E6A8717705F8FC5274AFBBC57EA6B7E44E2D765B0373C6F12F5629D6F9714793302F58A2C89242F892D78233F37E33
(PID) Process:(5576) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\chrome-HXVMEL
Operation:writeName:licence
Value:
76888F158C49F9AE9E688FC41470F75D
(PID) Process:(5576) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\chrome-HXVMEL
Operation:writeName:time
Value:
(PID) Process:(5576) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\chrome-HXVMEL
Operation:writeName:UID
Value:
Executable files
2
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6640dllhost.exeC:\ProgramData\Itpkogjw.urlbinary
MD5:E77086830406C1EF8EA5D168DB7975A8
SHA256:54AE8122F000059CE71F7DF86F3F914C1BFBB56663C5004679372D266DD4D457
6640dllhost.exeC:\Users\admin\Links\Itpkogjw.PIFexecutable
MD5:2D7B3F146B76E8E1145BDEBBAD843239
SHA256:7E679F4E9CC6296684C2A723C5A5484249E63CC42B716EE5C9F1AD79F3F7B350
6640dllhost.exeC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
6640dllhost.exeC:\ProgramData\6899.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
6640dllhost.exeC:\ProgramData\30196.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
1228esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
6640dllhost.exeC:\ProgramData\11.cmdtext
MD5:F72A7FCEFEA7525842341A36C2077A90
SHA256:0B9BC0A9F1AB520E5E68867394DA713AA1E8DB559D154C2299CC1A84FBE59680
6640dllhost.exeC:\Users\admin\Links\Itpkogjwbinary
MD5:C97CB3A3C841887F09C6559AD6DFA9A7
SHA256:313A2861D39C3C1A412D120AF7FAA54E038DFD2801C298FCC87762DD0B5CA9E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
156
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4464
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6640
dllhost.exe
162.55.232.49:443
taqareer.tech
Hetzner Online GmbH
DE
unknown
5576
SndVol.exe
172.245.244.120:20908
tredwqasdgghnbvgtredsw.ydns.eu
AS-COLOCROSSING
US
suspicious
4464
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
google.com
  • 172.217.18.110
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
taqareer.tech
  • 162.55.232.49
unknown
tredwqasdgghnbvgtredsw.ydns.eu
  • 172.245.244.120
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
INFO [ANY.RUN] Dynamic DNS Service (ydns .eu)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dllhost.exe