File name:

174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded

Full analysis: https://app.any.run/tasks/1484f141-8dff-44fb-a9d9-121efbf05d23
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 12:49:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
remcos
rat
auto-sch
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

5D231B5B2CC7DC6D9DD3CC09A7C5684E

SHA1:

9E2B2FFC47DFBA8CE8277C59C32DCF5B0443A8D9

SHA256:

D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831

SSDEEP:

49152:n8gq5+bd/bMVcKqEVCLfpimRnxdKnwUSlaAuLw:TlbV4lVItRaw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1128)

    • REMCOS mutex has been found

      • qdapevrA.pif (PID: 736)

    • REMCOS has been detected

      • qdapevrA.pif (PID: 736)
      • qdapevrA.pif (PID: 736)

    • REMCOS has been detected (SURICATA)

      • qdapevrA.pif (PID: 736)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Reads security settings of Internet Explorer

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • qdapevrA.pif (PID: 736)

    • Executing commands from ".cmd" file

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Starts CMD.EXE for commands execution

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1228)

    • Likely accesses (executes) a file from the Public directory

      • esentutl.exe (PID: 2148)
      • alpha.pif (PID: 5200)
      • alpha.pif (PID: 2564)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 2148)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Drops a file with a rarely used extension (PIF)

      • esentutl.exe (PID: 2148)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Starts itself from another location

      • cmd.exe (PID: 5588)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5588)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Created directory related to system

      • alpha.pif (PID: 5200)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 5200)
      • alpha.pif (PID: 2564)

    • Contacting a server suspected of hosting an CnC

      • qdapevrA.pif (PID: 736)

    • Connects to unusual port

      • qdapevrA.pif (PID: 736)

  • INFO

    • Checks supported languages

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • alpha.pif (PID: 5200)
      • alpha.pif (PID: 2564)
      • qdapevrA.pif (PID: 736)

    • Reads the computer name

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • qdapevrA.pif (PID: 736)

    • Checks proxy server information

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • qdapevrA.pif (PID: 736)

    • Compiled with Borland Delphi (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Creates files in the program directory

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • qdapevrA.pif (PID: 736)

    • Reads the software policy settings

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • slui.exe (PID: 2140)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 1128)

    • The sample compiled with english language support

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)

    • Reads the machine GUID from the registry

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6540)
      • qdapevrA.pif (PID: 736)

    • Creates files or folders in the user directory

      • qdapevrA.pif (PID: 736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 428544
InitializedDataSize: 574976
UninitializedDataSize: -
EntryPoint: 0x6980c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe sppextcomobj.exe no specs slui.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #REMCOS qdapevra.pif slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728ping 127.0.0.1 -n 10 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
736C:\\Users\\admin\\Links\\qdapevrA.pifC:\Users\admin\Links\qdapevrA.pif
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
David Harris
Integrity Level:
MEDIUM
Description:
Pegasus Mail Mailbox Maintenance Utility
Version:
4.51
Modules
Images
c:\users\admin\links\qdapevra.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1128C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\222.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1228C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\16986.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1244C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2140"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2148C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o C:\Windows\SysWOW64\esentutl.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2564C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4892C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
1 863
Read events
1 858
Write events
5
Delete events
0

Modification events

(PID) Process:(736) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:exepath
Value:
F1E61D1292F5402B0C9AE804AA718A89ADFD524E02781830E845CD115E3F7AD6B9BF7BA474A6E83B99A0C76FC80A891C059376F1857DDE5427B108A23D0A217705A67014
(PID) Process:(736) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:licence
Value:
71190D310CA021E52652EE16E36CA3FF
(PID) Process:(736) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(736) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(736) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\1893.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\16986.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadq.PIFexecutable
MD5:5D231B5B2CC7DC6D9DD3CC09A7C5684E
SHA256:D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadqbinary
MD5:89F9CC61F24B0551FFC8C110317762CA
SHA256:9DD74C95B2FDBF60739D69E47000C4AA387C9AE2AEC76D83074D5362D58E572B
2148esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\Arvepadq.urlbinary
MD5:A801A33B06F77E4C873353423680515F
SHA256:E402AE8E2EF7E4C8AF3A7ACB411A3A9CD7F4EC7990FCA376AD3F3DEDBF021403
736qdapevrA.pifC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:5EA9EA6F1378674009F9BA669F1F14D5
SHA256:FAE413CFE57ECA8A54B490E7C8BA5D0131B98EA3FAC724F6D5D3A6EBF0DB1B1E
736qdapevrA.pifC:\ProgramData\remcos\logs.datbinary
MD5:0CC84FECEA3512F7F50C12F1E1203895
SHA256:9A7B0E46C7B51AC4388F4170CC04A588B5EAFDFBB5984A7B05E98144AE964236
6540174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\qdapevrA.pifexecutable
MD5:3776012E2EF5A5CAE6935853E6CA79B2
SHA256:8E104CC58E62DE0EAB837AC09B01D30E85F79045CC1803FA2EF4EAFBDBD41E8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
26
DNS requests
20
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4488
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4488
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
736
qdapevrA.pif
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.130
  • 40.126.31.1
  • 20.190.159.73
  • 40.126.31.129
  • 40.126.31.130
  • 20.190.159.2
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
link.storjshare.io
  • 185.244.226.2
malicious
remcoslogs.duckdns.org
  • 107.175.32.184
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
6540
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
6540
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded