File name:

7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564

Full analysis: https://app.any.run/tasks/aedf77bc-1bfe-45ce-986f-275c7f48ee27
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 10, 2025, 19:18:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
rat
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

9AB44DF2A230AE277FB7B5D5322AC8DD

SHA1:

F395616FDB1E674FC8929BFC00DCEBF19171C07E

SHA256:

7249B3318810E5E740A713895DA3DE4B3E7929C02DEE523E05CEC2A1A4A5A564

SSDEEP:

49152:3J6/C6ZCvN7z88988NtMJ+HyH9Nv4Y6BBBBBD2CPc/oouuEsoGc7BWVMtwkaCg9E:Z6/C6ZI6+yfv4o/EgZSQSh5oe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST mutex has been found

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)
      • svchcst.exe (PID: 5908)
      • svchcst.exe (PID: 3980)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 1896)
      • wscript.exe (PID: 5264)
      • wscript.exe (PID: 6220)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Reads the date of Windows installation

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)

    • The process executes VB scripts

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Reads security settings of Internet Explorer

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • There is functionality for taking screenshot (YARA)

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • There is functionality for enable RDP (YARA)

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 1896)
      • wscript.exe (PID: 5264)
      • wscript.exe (PID: 6220)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 5264)
      • wscript.exe (PID: 1896)
      • wscript.exe (PID: 6220)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1896)
      • wscript.exe (PID: 5264)
      • wscript.exe (PID: 6220)

  • INFO

    • Checks supported languages

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)
      • svchcst.exe (PID: 3980)
      • svchcst.exe (PID: 5908)

    • The sample compiled with chinese language support

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Creates files or folders in the user directory

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Reads the computer name

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Process checks computer location settings

      • 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe (PID: 3836)
      • svchcst.exe (PID: 1508)

    • Checks proxy server information

      • slui.exe (PID: 984)

    • Reads the software policy settings

      • slui.exe (PID: 984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:26 01:03:36+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 864256
InitializedDataSize: 245760
UninitializedDataSize: -
EntryPoint: 0xb2656
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: Windows 配置程序
ProductName: Windows TM
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.dywt.com.cn)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
8
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GH0ST 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe wscript.exe no specs #GH0ST svchcst.exe wscript.exe no specs wscript.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1508"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 配置程序
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1896"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exe7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3836"C:\Users\admin\Desktop\7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe" C:\Users\admin\Desktop\7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3980"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 配置程序
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5264"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exesvchcst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5908"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 配置程序
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
6220"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exesvchcst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
13 618
Read events
13 606
Write events
12
Delete events
0

Modification events

(PID) Process:(3836) 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3836) 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3836) 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3836) 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3836) 7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1896) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5264) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6220) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
4
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
38367249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeC:\Users\admin\AppData\Roaming\Microsoft\Config.initext
MD5:67B9B3E2DED7086F393EBBC36C5E7BCA
SHA256:44063C266686263F14CD2A83FEE124FB3E61A9171A6AAB69709464F49511011D
38367249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeC:\Users\admin\AppData\Roaming\svchcst.exeexecutable
MD5:9AB44DF2A230AE277FB7B5D5322AC8DD
SHA256:7249B3318810E5E740A713895DA3DE4B3E7929C02DEE523E05CEC2A1A4A5A564
38367249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:CBD63E20FB6A2A5DA627B0FEFA6A7E99
SHA256:50048F60DA9BA44AE2B4E4D9D8759624FC023DB042A90229D7C6EFC81154B418
1508svchcst.exeC:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbstext
MD5:88609393FD9B1B0EECAD22144D308F1E
SHA256:411BF127BCD6084001B98927F4A9D6F66057AFDD330ECF054EB0EF69C82505F8
38367249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564.exeC:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbstext
MD5:E11B7F28B526D17862375B684B796F6C
SHA256:C61C94EDC1D32B969A0BC7E7FF6DFFA01AB64F471261603A35CFE5DD37609E64
1508svchcst.exeC:\Users\admin\AppData\Roaming\svchcst.exeexecutable
MD5:CBD63E20FB6A2A5DA627B0FEFA6A7E99
SHA256:50048F60DA9BA44AE2B4E4D9D8759624FC023DB042A90229D7C6EFC81154B418
1508svchcst.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:F268D32D65612DCC2332AE1D90449060
SHA256:6BF34774DD031AE12A12D821EDE1077B39745511E9F633638842BEA0CDAAD714
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
48
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4816
RUXIMICS.exe
GET
200
23.48.23.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4816
RUXIMICS.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.0:443
https://login.live.com/RST2.srf
unknown
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4816
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.48.23.24:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.24:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4816
RUXIMICS.exe
23.48.23.24:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.24
  • 23.48.23.18
  • 23.48.23.31
  • 23.48.23.29
  • 23.48.23.37
  • 23.48.23.45
  • 23.48.23.30
  • 23.48.23.35
  • 23.48.23.51
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.4
  • 20.190.160.5
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.2
  • 20.190.160.20
  • 40.126.32.74
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7249b3318810e5e740a713895da3de4b3e7929c02dee523e05cec2a1a4a5a564