File name:

3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9

Full analysis: https://app.any.run/tasks/3676db02-c2d7-4ad2-9825-b3d935441982
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 12:20:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
remote
rat
gh0st
arch-exec
arch-doc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

6A3D6CA7819AB95ADD89A52BCF5C38B1

SHA1:

606BF1706687D2896D401FE13A0AE60898D4D780

SHA256:

3D05A3574CC1A041E721BA95F25DE138517D65E2B4CB60854013D56B086728A9

SSDEEP:

24576:cBissSh156qCDN8NezCDUomnfDhMYIVP:cBissSRDfNezCQomfF2V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7040)

    • Changes settings for real-time protection

      • powershell.exe (PID: 6892)

    • Changes powershell execution policy (Unrestricted)

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Adds path to the Windows Defender exclusion list

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7124)

    • GH0ST has been detected (SURICATA)

      • vtreamsetup.exe (PID: 5888)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Script disables Windows Defender's behavior monitoring

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Script disables Windows Defender's real-time protection

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Script adds exclusion path to Windows Defender

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • The process drops C-runtime libraries

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 3532)
      • vtreamsetup.exe (PID: 5888)
      • vtreamsetup.exe (PID: 5156)

    • Starts POWERSHELL.EXE for commands execution

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Executable content was dropped or overwritten

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Process drops legitimate windows executable

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Contacting a server suspected of hosting an CnC

      • vtreamsetup.exe (PID: 5888)

    • Connects to unusual port

      • vtreamsetup.exe (PID: 5888)

  • INFO

    • Checks supported languages

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)
      • vtreamsetup.exe (PID: 5888)

    • Reads the computer name

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)
      • vtreamsetup.exe (PID: 5888)

    • The process uses the downloaded file

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)
      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7124)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6892)
      • OpenWith.exe (PID: 4596)

    • Process checks computer location settings

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • The sample compiled with english language support

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Reads the machine GUID from the registry

      • vtreamsetup.exe (PID: 5888)

    • The sample compiled with chinese language support

      • 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe (PID: 6480)

    • Reads CPU info

      • vtreamsetup.exe (PID: 5888)

    • Sends debugging messages

      • vtreamsetup.exe (PID: 5888)
      • Acrobat.exe (PID: 6160)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7124)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 3532)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 7040)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6864)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6892)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 7124)
      • powershell.exe (PID: 3532)

    • Manual execution by a user

      • vtreamsetup.exe (PID: 5568)
      • vtreamsetup.exe (PID: 6072)
      • notepad.exe (PID: 2292)
      • notepad.exe (PID: 3612)
      • notepad.exe (PID: 5556)
      • OpenWith.exe (PID: 4596)
      • notepad.exe (PID: 848)
      • notepad.exe (PID: 6336)
      • notepad.exe (PID: 1876)
      • notepad.exe (PID: 6252)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3612)
      • notepad.exe (PID: 848)
      • notepad.exe (PID: 5556)
      • notepad.exe (PID: 2292)
      • notepad.exe (PID: 6336)
      • notepad.exe (PID: 1876)
      • notepad.exe (PID: 6252)
      • OpenWith.exe (PID: 4596)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4596)

    • Application launched itself

      • Acrobat.exe (PID: 5540)
      • AcroCEF.exe (PID: 6940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x32fd6
UninitializedDataSize: -
InitializedDataSize: 647168
CodeSize: 581632
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2024:10:23 12:19:21+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
40
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start svchost.exe 3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs vtreamsetup.exe no specs #GH0ST vtreamsetup.exe vtreamsetup.exe no specs vtreamsetup.exe notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs notepad.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6480"C:\Users\admin\Desktop\3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe" C:\Users\admin\Desktop\3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6864"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy UnrestrictedC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6872\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6892"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6936"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $trueC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6980"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $trueC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6996\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
59 126
Read events
59 024
Write events
100
Delete events
2

Modification events

(PID) Process:(5540) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:uLastAppLaunchTimeStamp
Value:
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iNumAcrobatLaunches
Value:
7
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\HomeWelcomeFirstMile
Operation:writeName:iCardCountShown
Value:
3
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection
Operation:writeName:bBlockDLLInjection
Value:
0
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:sProductGUID
Value:
4143524F4241545F475549445F4E474C5F44554D4D5900
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:sProductGUID
Value:
4143524F5F5245534944554500
(PID) Process:(6160) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:delete valueName:ProductInfoCache
Value:
Executable files
45
Suspicious files
122
Text files
49
Unknown types
0

Dropped files

PID
Process
Filename
Type
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\Downloads\vst4ySmvG3wizb.dat
MD5:
SHA256:
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:79EE4A2FCBE24E9A65106DE834CCDA4A
SHA256:9F7BDA59FAAFC8A455F98397A63A7F7D114EFC4E8A41808C791256EBF33C7613
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-core-synch-l1-2-0.dllexecutable
MD5:6E704280D632C2F8F2CADEFCAE25AD85
SHA256:758A2F9EF6908B51745DB50D89610FE1DE921D93B2DBEA919BFDBA813D5D8893
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-crt-stdio-l1-1-0.dllexecutable
MD5:D5166AB3034F0E1AA679BFA1907E5844
SHA256:7BCAB4CA00FB1F85FEA29DD3375F709317B984A6F3B9BA12B8CF1952F97BEEE5
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-crt-filesystem-l1-1-0.dllexecutable
MD5:228C6BBE1BCE84315E4927392A3BAEE5
SHA256:AC0CEC8644340125507DD0BC9A90B1853A2D194EB60A049237FB5E752D349065
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:23BD405A6CFD1E38C74C5150EEC28D0A
SHA256:A7FA48DE6C06666B80184AFEE7E544C258E0FB11399AB3FE47D4E74667779F41
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-crt-convert-l1-1-0.dllexecutable
MD5:9DDEA3CC96E0FDD3443CC60D649931B3
SHA256:B7C3EBC36C84630A52D23D1C0E79D61012DFA44CDEBDF039AF31EC9E322845A5
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\0f40fc17.ppfbinary
MD5:BBA2E0EC20CDCB6CF637E21284FC29BE
SHA256:6EDFDC4856F81BBA4B5EE19D06266C9792B400CF564D15D6518BCD934D5CD70E
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-core-timezone-l1-1-0.dllexecutable
MD5:C9A55DE62E53D747C5A7FDDEDEF874F9
SHA256:B5C725BBB475B5C06CC6CB2A2C3C70008F229659F88FBA25CCD5D5C698D06A4B
64803d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exeC:\Users\Public\stdio\api-ms-win-crt-heap-l1-1-0.dllexecutable
MD5:1776A2B85378B27825CF5E5A3A132D9A
SHA256:675B1B82DD485CC8C8A099272DB9241D0D2A7F45424901F35231B79186EC47EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
29
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6480
3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
GET
200
27.124.47.7:80
http://download.linuxroot.site/download/3190.dat
unknown
OPTIONS
204
3.233.129.217:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=MY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
6092
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6092
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.6.155.20:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=MY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
binary
187 b
whitelisted
GET
200
23.48.23.149:443
https://acroipm2.adobe.com/23/rdr_64x/ENU/win/nooem/none/consumer/message.zip
unknown
compressed
141 Kb
whitelisted
GET
200
184.30.20.134:443
https://armmf.adobe.com/onboarding/smskillreader.txt
unknown
text
120 b
whitelisted
GET
200
23.218.208.137:443
https://geo2.adobe.com/
unknown
text
50 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6092
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.155:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6480
3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9.exe
27.124.47.7:80
download.linuxroot.site
BGPNET Global ASN
SG
unknown
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6092
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6092
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.170
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.136
  • 104.126.37.163
  • 104.126.37.154
  • 104.126.37.160
  • 104.126.37.139
whitelisted
google.com
  • 142.250.185.174
whitelisted
download.linuxroot.site
  • 27.124.47.7
unknown
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.173
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.baiodu.com
unknown
hehua.cookielive.top
  • 156.245.23.51
malicious
geo2.adobe.com
  • 184.28.88.176
whitelisted
p13n.adobe.io
  • 52.6.155.20
  • 3.219.243.226
  • 52.22.41.97
  • 3.233.129.217
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT TCP Packet
Process
Message
vtreamsetup.exe
vtreamsetup.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
3d05a3574cc1a041e721ba95f25de138517d65e2b4cb60854013d56b086728a9