File name:

174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded

Full analysis: https://app.any.run/tasks/a3b5bb4e-c1c1-44ea-a30e-f1d243eec46a
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 13:02:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
auto-sch
rat
remcos
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

5D231B5B2CC7DC6D9DD3CC09A7C5684E

SHA1:

9E2B2FFC47DFBA8CE8277C59C32DCF5B0443A8D9

SHA256:

D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831

SSDEEP:

49152:n8gq5+bd/bMVcKqEVCLfpimRnxdKnwUSlaAuLw:TlbV4lVItRaw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6656)

    • REMCOS mutex has been found

      • qdapevrA.pif (PID: 896)

    • REMCOS has been detected

      • qdapevrA.pif (PID: 896)
      • qdapevrA.pif (PID: 896)

    • REMCOS has been detected (SURICATA)

      • qdapevrA.pif (PID: 896)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • Starts CMD.EXE for commands execution

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • qdapevrA.pif (PID: 896)

    • Reads security settings of Internet Explorer

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • qdapevrA.pif (PID: 896)

    • Executing commands from ".cmd" file

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • Likely accesses (executes) a file from the Public directory

      • alpha.pif (PID: 8172)
      • esentutl.exe (PID: 8140)
      • alpha.pif (PID: 6816)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 8032)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 8140)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • qdapevrA.pif (PID: 896)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 8172)
      • alpha.pif (PID: 6816)

    • Drops a file with a rarely used extension (PIF)

      • esentutl.exe (PID: 8140)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • Starts itself from another location

      • cmd.exe (PID: 8000)

    • Starts application with an unusual extension

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • cmd.exe (PID: 8000)

    • Contacting a server suspected of hosting an CnC

      • qdapevrA.pif (PID: 896)

    • Connects to unusual port

      • qdapevrA.pif (PID: 896)

    • Created directory related to system

      • alpha.pif (PID: 8172)

  • INFO

    • Checks supported languages

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • alpha.pif (PID: 8172)
      • qdapevrA.pif (PID: 896)
      • alpha.pif (PID: 6816)

    • Reads the software policy settings

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • slui.exe (PID: 7536)

    • Compiled with Borland Delphi (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • The sample compiled with english language support

      • esentutl.exe (PID: 8140)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • Checks proxy server information

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • qdapevrA.pif (PID: 896)

    • Creates files in the program directory

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)
      • qdapevrA.pif (PID: 896)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 6656)

    • Reads the computer name

      • qdapevrA.pif (PID: 896)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • Reads the machine GUID from the registry

      • qdapevrA.pif (PID: 896)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7460)

    • Creates files or folders in the user directory

      • qdapevrA.pif (PID: 896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 428544
InitializedDataSize: 574976
UninitializedDataSize: -
EntryPoint: 0x6980c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
19
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe sppextcomobj.exe no specs slui.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #REMCOS qdapevra.pif slui.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744schtasks /create /sc minute /mo 20 /tn "Arvepadq" /tr C:\\ProgramData\\Arvepadq.url"C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
896C:\\Users\\admin\\Links\\qdapevrA.pifC:\Users\admin\Links\qdapevrA.pif
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
David Harris
Integrity Level:
MEDIUM
Description:
Pegasus Mail Mailbox Maintenance Utility
Version:
4.51
Modules
Images
c:\users\admin\links\qdapevra.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2152cmd.exeC:\Windows\SysWOW64\cmd.exeqdapevrA.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5116C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6656C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\47.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6816C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7460"C:\Users\admin\AppData\Local\Temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe" C:\Users\admin\AppData\Local\Temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
2 230
Read events
2 225
Write events
5
Delete events
0

Modification events

(PID) Process:(896) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:exepath
Value:
F1E61D1292F5402B0C9AE804AA718A89ADFD524E02781830E845CD115E3F7AD6B9BF7BA474A6E83B99A0C76FC80A891C059376F1857DDE5427B108A23D0A217705A67014
(PID) Process:(896) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:licence
Value:
71190D310CA021E52652EE16E36CA3FF
(PID) Process:(896) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(896) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(896) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
4
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
896qdapevrA.pif
MD5:
SHA256:
7460174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\6714.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
7460174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadq.PIFexecutable
MD5:5D231B5B2CC7DC6D9DD3CC09A7C5684E
SHA256:D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831
896qdapevrA.pifC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:9CA1698DD70C9038FC256F258AD6F06B
SHA256:D988C4DFDE6902341CCD334D8DE3F4E149736416DB0465978330E87944A70508
8140esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
7460174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\903.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
896qdapevrA.pifC:\ProgramData\remcos\logs.datbinary
MD5:186E533E8081C857643B5EC3BAE94DD3
SHA256:64BE98A429FEFDF8BD13795266D3BDA62B5227CBF541162ADCF2B230778FB624
896qdapevrA.pifC:\Users\admin\AppData\Local\VirtualStore\darkcloudemail.exe.partexecutable
MD5:34FE02E12A8C60465E830D9DD00D5591
SHA256:E790CC905C78399E203476545FA5F44E58589CE358F99C651142EDC8C19D65D9
7460174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadqbinary
MD5:89F9CC61F24B0551FFC8C110317762CA
SHA256:9DD74C95B2FDBF60739D69E47000C4AA387C9AE2AEC76D83074D5362D58E572B
7460174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
31
DNS requests
20
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.181:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.181:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
896
qdapevrA.pif
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
904
SIHClient.exe
GET
200
23.39.157.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
904
SIHClient.exe
GET
200
23.39.157.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.181:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.48.23.181:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.181
  • 23.48.23.176
  • 23.48.23.140
  • 23.48.23.180
  • 23.48.23.190
  • 23.48.23.141
  • 23.48.23.139
  • 23.48.23.194
  • 23.48.23.183
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.39.157.131
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.129
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
link.storjshare.io
  • 185.244.226.2
malicious
remcoslogs.duckdns.org
  • 107.175.32.184
unknown
geoplugin.net
  • 178.237.33.50
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
7460
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
7460
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded