File name:

174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded

Full analysis: https://app.any.run/tasks/2e18788a-0093-4c32-894c-7902fe4111df
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 12:39:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
auto-sch
remcos
rat
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

5D231B5B2CC7DC6D9DD3CC09A7C5684E

SHA1:

9E2B2FFC47DFBA8CE8277C59C32DCF5B0443A8D9

SHA256:

D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831

SSDEEP:

49152:n8gq5+bd/bMVcKqEVCLfpimRnxdKnwUSlaAuLw:TlbV4lVItRaw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7824)

    • REMCOS mutex has been found

      • qdapevrA.pif (PID: 7944)

    • REMCOS has been detected (SURICATA)

      • qdapevrA.pif (PID: 7944)

    • REMCOS has been detected

      • qdapevrA.pif (PID: 7944)
      • qdapevrA.pif (PID: 7944)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Reads security settings of Internet Explorer

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • qdapevrA.pif (PID: 7944)

    • Executing commands from ".cmd" file

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Starts CMD.EXE for commands execution

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7604)

    • Likely accesses (executes) a file from the Public directory

      • esentutl.exe (PID: 7708)
      • alpha.pif (PID: 7760)
      • alpha.pif (PID: 7740)

    • Drops a file with a rarely used extension (PIF)

      • esentutl.exe (PID: 7708)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 7708)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7564)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 7760)
      • alpha.pif (PID: 7740)

    • Contacting a server suspected of hosting an CnC

      • qdapevrA.pif (PID: 7944)

    • Connects to unusual port

      • qdapevrA.pif (PID: 7944)

    • Starts itself from another location

      • cmd.exe (PID: 7564)

    • Created directory related to system

      • alpha.pif (PID: 7740)

  • INFO

    • Reads the software policy settings

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • slui.exe (PID: 7260)

    • Checks supported languages

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • alpha.pif (PID: 7760)
      • qdapevrA.pif (PID: 7944)
      • alpha.pif (PID: 7740)

    • Reads the computer name

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • qdapevrA.pif (PID: 7944)

    • Compiled with Borland Delphi (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Checks proxy server information

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • qdapevrA.pif (PID: 7944)

    • Creates files in the program directory

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • qdapevrA.pif (PID: 7944)

    • The sample compiled with english language support

      • esentutl.exe (PID: 7708)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 7824)

    • Reads the machine GUID from the registry

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 6988)
      • qdapevrA.pif (PID: 7944)

    • Creates files or folders in the user directory

      • qdapevrA.pif (PID: 7944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 428544
InitializedDataSize: 574976
UninitializedDataSize: -
EntryPoint: 0x6980c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe sppextcomobj.exe no specs slui.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #REMCOS qdapevra.pif slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6988"C:\Users\admin\AppData\Local\Temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe" C:\Users\admin\AppData\Local\Temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7216C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7224C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7260"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7564C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\42.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7604C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\862.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7680ping 127.0.0.1 -n 10 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 818
Read events
1 813
Write events
5
Delete events
0

Modification events

(PID) Process:(7944) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:exepath
Value:
F1E61D1292F5402B0C9AE804AA718A89ADFD524E02781830E845CD115E3F7AD6B9BF7BA474A6E83B99A0C76FC80A891C059376F1857DDE5427B108A23D0A217705A67014
(PID) Process:(7944) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:licence
Value:
71190D310CA021E52652EE16E36CA3FF
(PID) Process:(7944) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7944) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7944) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
3
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\42.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
7708esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\Arvepadq.urlbinary
MD5:05B965F67D7E41C39AC3E009314872D0
SHA256:1EEFDDDCDB23FC73155EC333C71B9261C6A4AA1AD4577CDFEA72BECF1BA2BBCC
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadqbinary
MD5:89F9CC61F24B0551FFC8C110317762CA
SHA256:9DD74C95B2FDBF60739D69E47000C4AA387C9AE2AEC76D83074D5362D58E572B
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\862.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
7944qdapevrA.pifC:\ProgramData\remcos\logs.datbinary
MD5:105E53ECDE02547971C5035F479AB6C5
SHA256:8852068D5A9DFE0A9D352F32151DFE259579F5F6E6AC7CAC10DC90C214F4612B
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadq.PIFexecutable
MD5:5D231B5B2CC7DC6D9DD3CC09A7C5684E
SHA256:D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\qdapevrA.pifexecutable
MD5:3776012E2EF5A5CAE6935853E6CA79B2
SHA256:8E104CC58E62DE0EAB837AC09B01D30E85F79045CC1803FA2EF4EAFBDBD41E8D
6988174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\519.cmdtext
MD5:2E689D3B03BC948891640877694F8845
SHA256:5620ADE9D7ED2BC37A89A8061E88B6861BFDAD6E6D5A7431EDB52BBBEE0F738A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
18
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7944
qdapevrA.pif
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8088
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8088
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.156
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.183
  • 23.48.23.158
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.76
  • 20.190.160.130
  • 20.190.160.66
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.5
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
link.storjshare.io
  • 185.244.226.2
malicious
remcoslogs.duckdns.org
  • 107.175.32.184
unknown
geoplugin.net
  • 178.237.33.50
whitelisted

Threats

PID
Process
Class
Message
6988
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
6988
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
7944
qdapevrA.pif
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7944
qdapevrA.pif
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded