File name:

1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe

Full analysis: https://app.any.run/tasks/3eb6c23a-6c8d-4ba9-b77e-0f26fb9c171a
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 28, 2025, 10:39:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
remote
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

AB13EEBC5E58F3E4D335337AC8A3FF46

SHA1:

9861353818ECD8644E7A32E741E2AF232F616184

SHA256:

90D3D574C49353F3F8316A30ED7798E84524A1D8B7C976231C451A32E9E79301

SSDEEP:

12288:sucEko68OD9XdZ3JiY0meNN2od7bQc1kcnB6ZnipWVVVVVVVVVVVVVVVVVv67:go6869wMENXbFt6Zipo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS mutex has been found

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • Connects to the CnC server

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • REMCOS has been detected (SURICATA)

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • REMCOS has been detected

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • REMCOS has been detected (YARA)

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Contacting a server suspected of hosting an CnC

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • There is functionality for taking screenshot (YARA)

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • Connects to unusual port

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

  • INFO

    • Reads the machine GUID from the registry

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • Reads the computer name

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • Checks supported languages

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • Creates files in the program directory

      • 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe (PID: 4336)

    • Checks proxy server information

      • slui.exe (PID: 1388)

    • Reads the software policy settings

      • slui.exe (PID: 1388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:28 06:19:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 356864
InitializedDataSize: 140800
UninitializedDataSize: -
EntryPoint: 0x34d64
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1388C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4336"C:\Users\admin\Desktop\1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe" C:\Users\admin\Desktop\1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 764
Read events
3 760
Write events
4
Delete events
0

Modification events

(PID) Process:(4336) 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exeKey:HKEY_CURRENT_USER\SOFTWARE\tricoder001922025-WGWG8U
Operation:writeName:exepath
Value:
86E1C9B28E59A21C22E21CF2B0B49A0F145B1EC6455363946E9CF253E1A3E6D5FC6F8A4D524D226E04E07E0A96E5B4C8963C8CD50945BAE8E6A96AFA51703D16B0ED1861CE174C3C96661AD4986222BF2507DD8E5E1DC45D94286A6133AFCD23299CAE9773469ED64E7B7413F5FAAF5FD82B013D63479B1DBD87F649319256F6B8CFB968102340A09250B2B2E68087D0FD787026BDF11E3B011F72CD196C3C62A0153F838F86087A723FEE64330630D987662B9336B2D8680705682A86012FFCABE2E13D950149977F2F7002D5C6423E44B964CEED08848B2736B202E1017306034D36C96FBFE8FD646E
(PID) Process:(4336) 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exeKey:HKEY_CURRENT_USER\SOFTWARE\tricoder001922025-WGWG8U
Operation:writeName:licence
Value:
6214F355B8397CF792A477F14524C9DF
(PID) Process:(4336) 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exeKey:HKEY_CURRENT_USER\SOFTWARE\tricoder001922025-WGWG8U
Operation:writeName:time
Value:
(PID) Process:(4336) 1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exeKey:HKEY_CURRENT_USER\SOFTWARE\tricoder001922025-WGWG8U
Operation:writeName:UID
Value:
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
43361745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exeC:\ProgramData\remcos\logs.datbinary
MD5:A34835E1A94BE8D57216BE1DE6C172D7
SHA256:29D46D545F99B3F5D0DD5721CE16C932FEFB6AA29621B0A87DB9E62AB64C961E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
59
DNS requests
29
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
184.30.18.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2140
SIHClient.exe
GET
200
184.30.18.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
184.30.18.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
184.30.18.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2140
SIHClient.exe
GET
200
184.30.18.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4336
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
172.111.163.163:3980
wealthyblessedman.duckdns.org
BG
malicious
4336
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
172.111.163.163:3981
wealthyblessedman.duckdns.org
BG
malicious
2104
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4336
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
162.216.242.207:3980
janbours92harbubreakthroughs.loseyourip.com
DYNU
US
malicious
2104
svchost.exe
184.30.18.101:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
wealthyblessedman.duckdns.org
  • 172.111.163.163
malicious
wealthyblessedma01n.duckdns.org
unknown
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
whitelisted
allblessingcometome.freemyip.com
unknown
janbours92harbubreakthroughs.loseyourip.com
  • 162.216.242.207
malicious
www.microsoft.com
  • 184.30.18.101
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.0
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.129
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
4336
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
4336
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
4336
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to freemyip .com Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1745836445ccc188f3ef37ae7e35e8f716e6e89e5e5ae59ae470f23bddaca9420f07c36482963.dat-decoded.exe