File name:

e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe

Full analysis: https://app.any.run/tasks/864a2b14-81b2-41c6-8ec1-d649ec5f958a
Verdict: Malicious activity
Threats:

Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis.

Malware Trends Tracker     >>>
Analysis date: April 16, 2026, 20:07:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
remcos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

A8A8DD042F60D8C27E7BD5B5D3A750FF

SHA1:

DDCC45EA5D9298F140A3FE2CF60E050FEB68B684

SHA256:

E49412097E84021F9079B43E61F6D46B8A1737D8BDA33D43398D1F366A4D7839

SSDEEP:

12288:hx7Lro+mVoOtZe39V0d+mCmsTOeIWcilcJ7DcrdZsoDcqpWVVVVVVVVVVVVVVVV7:vo+maoJCm5eIMADcrdZ3Dcqp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)
      • sysconf.exe (PID: 7448)

    • REMCOS has been detected (YARA)

      • sysconf.exe (PID: 7448)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)

    • Starts itself from another location

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)

  • INFO

    • Reads Environment values

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)

    • Checks supported languages

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)
      • sysconf.exe (PID: 7448)
      • sysconf.exe (PID: 7800)

    • Reads the computer name

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)
      • sysconf.exe (PID: 7448)

    • Reads security settings of Internet Explorer

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)

    • Creates files or folders in the user directory

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)

    • Launching a file from a Registry key

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)
      • sysconf.exe (PID: 7448)

    • Process checks computer location settings

      • e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe (PID: 7096)

    • Manual execution by a user

      • sysconf.exe (PID: 7800)

    • There is functionality for taking screenshot (YARA)

      • sysconf.exe (PID: 7448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(7448) sysconf.exe
C2 (1)45.151.81.138:24055
Botnet24055
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%APPDATA%
Copy_filesysconf.exe
Startup_valueFalse
Hide_fileFalse
Mutex_name-L67RHW
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirRoaming
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:03:01 07:06:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 381952
InitializedDataSize: 144896
UninitializedDataSize: -
EntryPoint: 0x3b4c2
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
7096"C:\Users\admin\Desktop\e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe" C:\Users\admin\Desktop\e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7448"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe" C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe
e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\roaming\sysconf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(7448) sysconf.exe
C2 (1)45.151.81.138:24055
Botnet24055
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%APPDATA%
Copy_filesysconf.exe
Startup_valueFalse
Hide_fileFalse
Mutex_name-L67RHW
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirRoaming
Keylog_dirremcos
7800"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\roaming\roaming\sysconf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8156C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 924
Read events
3 915
Write events
9
Delete events
0

Modification events

(PID) Process:(7096) e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:-L67RHW
Value:
"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe"
(PID) Process:(7096) e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:-L67RHW
Value:
"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe"
(PID) Process:(7448) sysconf.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:-L67RHW
Value:
"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe"
(PID) Process:(7448) sysconf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:-L67RHW
Value:
"C:\Users\admin\AppData\Roaming\Roaming\sysconf.exe"
(PID) Process:(7448) sysconf.exeKey:HKEY_CURRENT_USER\SOFTWARE\-L67RHW
Operation:writeName:exepath
Value:
FBA6AF0F7F82BD3B664FEA1C30C7A465BEE639EBEE82B02F435D625AD2C48A9BF1C63A705995652790DED9DDC1859F4C5AB89F0B0BC655DC10D203DBF2A14EC9BD4648CC515E1F4F87205DE274508ACC2B19CAF1F7833580A86CEEB936335F70DEAFF47D23D5
(PID) Process:(7448) sysconf.exeKey:HKEY_CURRENT_USER\SOFTWARE\-L67RHW
Operation:writeName:licence
Value:
0E615A13C427739C40DE840FC1E11717
(PID) Process:(7448) sysconf.exeKey:HKEY_CURRENT_USER\SOFTWARE\-L67RHW
Operation:writeName:time
Value:
(PID) Process:(7448) sysconf.exeKey:HKEY_CURRENT_USER\SOFTWARE\-L67RHW
Operation:writeName:UID
Value:
(PID) Process:(8156) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7096e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exeC:\Users\admin\AppData\Roaming\Roaming\sysconf.exeexecutable
MD5:A8A8DD042F60D8C27E7BD5B5D3A750FF
SHA256:E49412097E84021F9079B43E61F6D46B8A1737D8BDA33D43398D1F366A4D7839
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
44
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
4488
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4488
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
4488
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
4488
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5392
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5392
svchost.exe
GET
200
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
4488
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8156
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5392
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7352
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.218:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7448
sysconf.exe
45.151.81.138:24055
SERVERNET-AS
GB
malicious
5392
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5392
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
  • 2.16.241.205
  • 2.16.241.207
whitelisted
google.com
  • 192.178.183.139
  • 192.178.183.102
  • 192.178.183.100
  • 192.178.183.138
  • 192.178.183.113
  • 192.178.183.101
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.6
  • 23.216.77.41
  • 23.216.77.30
  • 23.216.77.19
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.197.162.102
  • 23.59.18.102
whitelisted
self.events.data.microsoft.com
  • 20.189.173.5
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted

Threats

PID
Process
Class
Message
5392
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e49412097e84021f9079b43e61f6d46b8a1737d8bda33d43398d1f366a4d7839.exe