File name:

07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20

Full analysis: https://app.any.run/tasks/1c242054-f899-4993-a437-4c21f451592a
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 19:02:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

D42FA9600C9D0094B87110720922F988

SHA1:

A7F66717E644556EC93DB93E5C40DC473B5811E9

SHA256:

07CA769F050C880809506A9AB06E296074CBDE7D51ED2CAC2BBE4C83BB4F9F20

SSDEEP:

49152:0Qf3BVy7x88988NtgwTx3z9EkR1SVSg5pfi0XW5aGZDrJ:0Qf3S4KBxR1SVSg5p5aZDrJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST mutex has been found

      • look2.exe (PID: 7440)
      • svchcst.exe (PID: 7528)

    • Creates or modifies Windows services

      • look2.exe (PID: 7440)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe (PID: 7416)
      • look2.exe (PID: 7440)

    • Suspicious files were dropped or overwritten

      • look2.exe (PID: 7440)

    • There is functionality for taking screenshot (YARA)

      • 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe (PID: 7416)

  • INFO

    • The sample compiled with chinese language support

      • 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe (PID: 7416)

    • Checks supported languages

      • look2.exe (PID: 7440)
      • 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe (PID: 7416)

    • Reads the computer name

      • look2.exe (PID: 7440)

    • Create files in a temporary directory

      • 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe (PID: 7416)

    • Checks proxy server information

      • slui.exe (PID: 7964)

    • Reads the software policy settings

      • slui.exe (PID: 7964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:17 03:22:40+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 520192
InitializedDataSize: 679936
UninitializedDataSize: -
EntryPoint: 0x60d55
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.9.0.9
ProductVersionNumber: 2.9.0.9
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 2.9.0.9
FileDescription: 应用程序
ProductName: PopWndL0g
ProductVersion: 2.9.0.9
CompanyName: RuntimeBroker
LegalCopyright: RuntimeBroker
Comments: PopWndL0g
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe look2.exe svchcst.exe no specs slui.exe 07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7320"C:\Users\admin\Desktop\07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe" C:\Users\admin\Desktop\07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exeexplorer.exe
User:
admin
Company:
RuntimeBroker
Integrity Level:
MEDIUM
Description:
应用程序
Exit code:
3221226540
Version:
2.9.0.9
Modules
Images
c:\users\admin\desktop\07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7416"C:\Users\admin\Desktop\07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe" C:\Users\admin\Desktop\07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe
explorer.exe
User:
admin
Company:
RuntimeBroker
Integrity Level:
HIGH
Description:
应用程序
Exit code:
0
Version:
2.9.0.9
Modules
Images
c:\users\admin\desktop\07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7440C:\Users\admin\AppData\Local\Temp\\look2.exeC:\Users\admin\AppData\Local\Temp\look2.exe
07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exe
User:
admin
Integrity Level:
HIGH
Description:
GradualChange Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\look2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7528C:\WINDOWS\system32\svchcst.exe "c:\windows\system32\1103171.bat",MainThreadC:\Windows\SysWOW64\svchcst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7964C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 745
Read events
3 742
Write events
3
Delete events
0

Modification events

(PID) Process:(7440) look2.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst
Operation:writeName:Description
Value:
¹ÜÀí»ùÓÚ×é¼þ¶ÔÏóÄ£Ð͵ĺËÐÄ·þÎñ,Èç¹û·þÎñ±»½ûÓ㬼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐС£
(PID) Process:(7440) look2.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters
Operation:writeName:ServiceDll
Value:
C:\WINDOWS\system32\1103171.bat
(PID) Process:(7440) look2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:writeName:svchcst
Value:
svchcst
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7440look2.exeC:\Windows\SysWOW64\ini.initext
MD5:55483267D8A4D785BCDC2DF82CA2C956
SHA256:C44C1B3FE899F8341FFD3E11119B358CA321718A0EC6AA2F37AC2C07B151630D
741607ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exeC:\Users\admin\AppData\Local\Temp\look2.exeexecutable
MD5:2F3B6F16E33E28AD75F3FDAEF2567807
SHA256:86492EBF2D6F471A5EE92977318D099B3EA86175B5B7AE522237AE01D07A4857
741607ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20.exeC:\Users\admin\AppData\Local\Temp\HD_X.datexecutable
MD5:D42FA9600C9D0094B87110720922F988
SHA256:07CA769F050C880809506A9AB06E296074CBDE7D51ED2CAC2BBE4C83BB4F9F20
7440look2.exeC:\Windows\SysWOW64\1103171.batexecutable
MD5:CE61A6B2338324ADC82760BD0211A911
SHA256:B93F3E5BF73E20D88EDDA05786F4DAFBF082934110D9BB06D309D6041D5865E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
48
DNS requests
43
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7784
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7784
SIHClient.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7784
SIHClient.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7784
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7784
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7784
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7784
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7784
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.147
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.169
  • 23.48.23.141
  • 23.48.23.177
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.22
  • 40.126.32.74
  • 20.190.160.2
  • 40.126.32.76
  • 20.190.160.130
whitelisted
kinh.xmcxmr.com
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
07ca769f050c880809506a9ab06e296074cbde7d51ed2cac2bbe4c83bb4f9f20