File name:

b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe

Full analysis: https://app.any.run/tasks/45b2b95b-8ce7-4ee7-b32f-1b1e2e01c993
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 01:23:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

F235C67E2F96EEFAE912DAA3527A7F5D

SHA1:

F43B6A22433DFEE74A588BDA1AF6064C68A4AB8E

SHA256:

B99BF9785EE2E67C45345753CB2AAA6ECC9C48904FE66F2B177E12E570500AF6

SSDEEP:

49152:TJ6/C6ZCvN7z88988NtMJ+HyH9bv4Y6BBBBBD2CPc/oouuEsoGc7BWVMtwkaCg93:l6/C6ZM6+y9v4o/EgZSQSh54H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST mutex has been found

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)
      • svchcst.exe (PID: 5084)
      • svchcst.exe (PID: 4888)
      • svchcst.exe (PID: 6180)
      • svchcst.exe (PID: 4820)
      • svchcst.exe (PID: 2848)
      • svchcst.exe (PID: 7016)
      • svchcst.exe (PID: 3620)
      • svchcst.exe (PID: 4748)
      • svchcst.exe (PID: 4100)
      • svchcst.exe (PID: 6796)
      • svchcst.exe (PID: 2620)
      • svchcst.exe (PID: 5460)
      • svchcst.exe (PID: 7032)
      • svchcst.exe (PID: 4884)
      • svchcst.exe (PID: 5780)
      • svchcst.exe (PID: 5552)
      • svchcst.exe (PID: 2612)
      • svchcst.exe (PID: 3740)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 1100)

  • SUSPICIOUS

    • The process executes VB scripts

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)

    • Executable content was dropped or overwritten

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)

    • Reads security settings of Internet Explorer

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 1100)
      • wscript.exe (PID: 1216)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 1100)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 1100)

    • The process executes via Task Scheduler

      • updater.exe (PID: 3704)

    • Application launched itself

      • updater.exe (PID: 3704)

  • INFO

    • Checks supported languages

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)
      • svchcst.exe (PID: 5084)
      • svchcst.exe (PID: 4888)
      • svchcst.exe (PID: 4100)
      • svchcst.exe (PID: 6796)
      • svchcst.exe (PID: 4820)
      • svchcst.exe (PID: 2848)
      • svchcst.exe (PID: 7016)
      • svchcst.exe (PID: 3620)
      • svchcst.exe (PID: 4748)
      • svchcst.exe (PID: 4884)
      • svchcst.exe (PID: 6180)
      • svchcst.exe (PID: 5552)
      • svchcst.exe (PID: 2620)
      • svchcst.exe (PID: 2612)
      • svchcst.exe (PID: 3740)
      • svchcst.exe (PID: 5460)
      • svchcst.exe (PID: 7032)
      • svchcst.exe (PID: 5780)
      • updater.exe (PID: 3704)
      • updater.exe (PID: 4120)

    • Reads the computer name

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)
      • updater.exe (PID: 3704)

    • Process checks computer location settings

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)

    • Creates files or folders in the user directory

      • b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe (PID: 1592)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3704)

    • Reads the software policy settings

      • slui.exe (PID: 2276)

    • Checks proxy server information

      • slui.exe (PID: 2276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:26 00:25:29+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 57344
InitializedDataSize: 512000
UninitializedDataSize: -
EntryPoint: 0xb2656
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
24
Malicious processes
21
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GH0ST b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe wscript.exe no specs wscript.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs #GH0ST svchcst.exe no specs slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1100"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exeb99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1216"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exeb99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1592"C:\Users\admin\Desktop\b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe" C:\Users\admin\Desktop\b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2276C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2612"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
2620"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
2848"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
3620"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
3704"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3740"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
wscript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
17 413
Read events
17 409
Write events
4
Delete events
0

Modification events

(PID) Process:(1592) b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
37178C6800000000
(PID) Process:(1592) b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1216) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1100) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
2
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1592b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exeC:\Users\admin\AppData\Roaming\svchcst.exeexecutable
MD5:F235C67E2F96EEFAE912DAA3527A7F5D
SHA256:B99BF9785EE2E67C45345753CB2AAA6ECC9C48904FE66F2B177E12E570500AF6
1592b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exeC:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbstext
MD5:ED6F28395C4ECFE3085722317A75FB9B
SHA256:0F243CBB2D69794C14308AECC9EDC840A54A539D1FDDA5C9469D922CDE771F64
1592b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:99D1E2331D2E208E1436767898344C2F
SHA256:213446FAB9D8651C100CA202B9CA02BC37F34DB23A9750EA00D37D90543A1F9F
1592b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exeC:\Users\admin\AppData\Roaming\Microsoft\Config.initext
MD5:67B9B3E2DED7086F393EBBC36C5E7BCA
SHA256:44063C266686263F14CD2A83FEE124FB3E61A9171A6AAB69709464F49511011D
4120updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:4ED2C7981C41713591072A02D74684C0
SHA256:C2ACC079D9CF7731EF5A0ED0FB579D13DCF634CAEDF4E7E948DB53498FAA118A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3480
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3480
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3480
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3480
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 13.69.116.109
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b99bf9785ee2e67c45345753cb2aaa6ecc9c48904fe66f2b177e12e570500af6.exe