File name:

zmh8535663201.exe

Full analysis: https://app.any.run/tasks/71616214-f644-4176-aef1-d8cdfb4ce466
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 02, 2026, 17:26:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
payload
remote
rat
gh0st
stego
auto-reg
auto-sch
Indicators:
MD5:

F121814711B8A1325B0440CE3E616DE6

SHA1:

BB8157287184A6CCCBF5657AC28A4CF20380926F

SHA256:

C562DF3C7AC0CF1E261430D61740573C8295B7258EAA256E267629DEF6750376

SSDEEP:

98304:RH7idjD7nEzg3wgy0VZSC/Lixw1q0hIWKceYxVtQWPtwFpNRl5mdRMh9YiYnodQH:O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • zmh8535663201.exe (PID: 3164)
      • zmh8535663201.exe (PID: 6792)

    • Changes the autorun value in the registry

      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 8336)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 8324)
      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 9120)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 6936)

    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 7296)
      • reg.exe (PID: 8224)
      • reg.exe (PID: 7144)
      • reg.exe (PID: 8348)
      • reg.exe (PID: 1524)
      • reg.exe (PID: 7404)
      • reg.exe (PID: 8136)
      • reg.exe (PID: 8280)
      • reg.exe (PID: 8432)
      • reg.exe (PID: 2156)

    • Gh0st has been detected

      • mNV1fh.exe (PID: 3416)

    • The process uses screensaver hijack for persistence

      • mNV1fh.exe (PID: 3416)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3140)
      • net.exe (PID: 6644)
      • net.exe (PID: 4856)
      • net.exe (PID: 9112)
      • net.exe (PID: 7944)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 3140)
      • net.exe (PID: 4856)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6472)

    • Changes the Windows auto-update feature

      • reg.exe (PID: 2452)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • zmh8535663201.exe (PID: 3164)
      • 4ebgZl.exe (PID: 1684)

    • Application launched itself

      • zmh8535663201.exe (PID: 3164)

    • Executable content was dropped or overwritten

      • zmh8535663201.exe (PID: 6792)
      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Likely accesses (executes) a file from the Public directory

      • 4ebgZl.exe (PID: 1684)
      • cmd.exe (PID: 5864)
      • icacls.exe (PID: 8044)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 8336)
      • icacls.exe (PID: 8740)
      • cmd.exe (PID: 1524)
      • icacls.exe (PID: 1312)
      • cmd.exe (PID: 2016)
      • schtasks.exe (PID: 5752)
      • icacls.exe (PID: 8936)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 9204)
      • icacls.exe (PID: 6628)
      • cmd.exe (PID: 1112)
      • icacls.exe (PID: 8452)
      • cmd.exe (PID: 6104)
      • reg.exe (PID: 7296)
      • icacls.exe (PID: 8916)
      • cmd.exe (PID: 4856)
      • icacls.exe (PID: 8096)
      • icacls.exe (PID: 8492)
      • cmd.exe (PID: 8540)
      • cmd.exe (PID: 2912)
      • icacls.exe (PID: 7948)
      • cmd.exe (PID: 4156)
      • cmd.exe (PID: 2896)
      • icacls.exe (PID: 5316)
      • cmd.exe (PID: 4304)
      • icacls.exe (PID: 684)
      • icacls.exe (PID: 5712)
      • cmd.exe (PID: 6132)
      • icacls.exe (PID: 9104)
      • 4ebgZl.exe (PID: 5696)
      • cmd.exe (PID: 8640)
      • icacls.exe (PID: 2336)

    • The process executes via Task Scheduler

      • 4ebgZl.exe (PID: 1684)
      • cmd.exe (PID: 9204)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 8008)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 7856)
      • 3NKcVB.exe (PID: 9044)
      • mNV1fh.exe (PID: 8440)
      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 8044)
      • cmd.exe (PID: 4832)
      • cmd.exe (PID: 8552)
      • cmd.exe (PID: 5840)
      • mNV1fh.exe (PID: 4968)
      • 3NKcVB.exe (PID: 800)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5864)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 8336)
      • cmd.exe (PID: 1524)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 9204)
      • cmd.exe (PID: 1112)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 4856)
      • cmd.exe (PID: 6104)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 8540)
      • cmd.exe (PID: 4156)
      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 4304)
      • cmd.exe (PID: 8640)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 8324)
      • cmd.exe (PID: 8008)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 8204)
      • cmd.exe (PID: 8816)
      • cmd.exe (PID: 4356)
      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 572)
      • cmd.exe (PID: 8804)
      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 9008)
      • cmd.exe (PID: 5712)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 8924)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 8408)
      • cmd.exe (PID: 8896)
      • cmd.exe (PID: 8404)
      • cmd.exe (PID: 9120)
      • cmd.exe (PID: 8044)
      • cmd.exe (PID: 7144)
      • cmd.exe (PID: 8200)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 4832)
      • cmd.exe (PID: 5840)
      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 8552)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 5864)
      • cmd.exe (PID: 1524)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 1112)
      • cmd.exe (PID: 6104)
      • cmd.exe (PID: 8540)
      • cmd.exe (PID: 4856)
      • cmd.exe (PID: 4156)
      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 4304)
      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 8640)
      • cmd.exe (PID: 8816)
      • cmd.exe (PID: 4356)
      • cmd.exe (PID: 572)
      • cmd.exe (PID: 8804)
      • cmd.exe (PID: 9008)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 8896)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 8924)
      • cmd.exe (PID: 8408)
      • cmd.exe (PID: 5712)
      • cmd.exe (PID: 8404)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 8200)
      • cmd.exe (PID: 7144)
      • cmd.exe (PID: 3140)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 8336)
      • cmd.exe (PID: 9204)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 8008)
      • cmd.exe (PID: 8324)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 9120)
      • cmd.exe (PID: 8044)
      • cmd.exe (PID: 4832)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 5840)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 8552)
      • cmd.exe (PID: 6936)

    • Creates scheduled task with highest privileges

      • cmd.exe (PID: 8336)
      • schtasks.exe (PID: 5752)
      • cmd.exe (PID: 4944)
      • schtasks.exe (PID: 6472)
      • schtasks.exe (PID: 1192)
      • cmd.exe (PID: 8324)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 1656)
      • schtasks.exe (PID: 2880)
      • schtasks.exe (PID: 5568)
      • cmd.exe (PID: 7296)
      • schtasks.exe (PID: 8024)
      • cmd.exe (PID: 9120)
      • schtasks.exe (PID: 7936)
      • schtasks.exe (PID: 7408)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 5588)
      • schtasks.exe (PID: 2736)
      • schtasks.exe (PID: 8876)
      • cmd.exe (PID: 6936)

    • Found strings related to reading or modifying Windows Defender settings

      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 1180)
      • schtasks.exe (PID: 6796)
      • schtasks.exe (PID: 5116)
      • schtasks.exe (PID: 5800)
      • schtasks.exe (PID: 3536)
      • schtasks.exe (PID: 2692)
      • schtasks.exe (PID: 9160)
      • schtasks.exe (PID: 7580)
      • schtasks.exe (PID: 8356)
      • schtasks.exe (PID: 8696)

    • Uses REG/REGEDIT.EXE to modify or delete registry entries

      • cmd.exe (PID: 9204)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 8008)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 8044)
      • cmd.exe (PID: 4832)
      • cmd.exe (PID: 5840)
      • cmd.exe (PID: 8552)
      • cmd.exe (PID: 3140)

    • Creates file in the systems drive root

      • mNV1fh.exe (PID: 3416)
      • cmd.exe (PID: 7768)

    • Modifies hosts file to alter network resolution

      • mNV1fh.exe (PID: 3416)

    • Hides command output

      • cmd.exe (PID: 3140)

    • Uses REG/REGEDIT.EXE to disable service

      • cmd.exe (PID: 3140)
      • reg.exe (PID: 5752)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 3140)

    • Starts CMD.EXE with output disabled

      • cmd.exe (PID: 3140)

    • Removal of system recovery components

      • cmd.exe (PID: 3140)

    • Service autostart disabling

      • cmd.exe (PID: 3140)
      • sc.exe (PID: 2340)
      • sc.exe (PID: 4824)
      • sc.exe (PID: 8352)
      • sc.exe (PID: 6208)

    • The process deletes folder without confirmation

      • mNV1fh.exe (PID: 3416)

    • File deletion via cmd.exe

      • cmd.exe (PID: 3140)

    • Stops or disables Windows UPDATE services

      • sc.exe (PID: 2340)
      • sc.exe (PID: 8352)
      • sc.exe (PID: 4824)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2340)
      • sc.exe (PID: 3076)
      • sc.exe (PID: 5828)
      • sc.exe (PID: 6208)
      • sc.exe (PID: 8352)
      • sc.exe (PID: 5500)
      • sc.exe (PID: 4824)
      • sc.exe (PID: 6260)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 3140)

    • Process checks specific path in scheduled tasks

      • powershell.exe (PID: 6472)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3140)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6472)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3140)

    • Creates or modifies Windows services

      • reg.exe (PID: 5752)
      • reg.exe (PID: 8676)

  • INFO

    • Checks supported languages

      • zmh8535663201.exe (PID: 3164)
      • zmh8535663201.exe (PID: 6792)
      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)
      • mNV1fh.exe (PID: 8440)
      • 3NKcVB.exe (PID: 9044)
      • mNV1fh.exe (PID: 7948)
      • mNV1fh.exe (PID: 4968)
      • 3NKcVB.exe (PID: 800)

    • Process checks computer location settings

      • zmh8535663201.exe (PID: 3164)
      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Reads security settings of Internet Explorer

      • zmh8535663201.exe (PID: 3164)
      • zmh8535663201.exe (PID: 6792)
      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Reads the computer name

      • zmh8535663201.exe (PID: 3164)
      • zmh8535663201.exe (PID: 6792)
      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Reads the machine GUID from the registry

      • zmh8535663201.exe (PID: 6792)
      • 4ebgZl.exe (PID: 1684)

    • The sample compiled with english language support

      • zmh8535663201.exe (PID: 6792)
      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Launching a file from a Registry key

      • 4ebgZl.exe (PID: 1684)
      • mNV1fh.exe (PID: 3416)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 8336)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 8324)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 9120)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 6936)

    • Manual execution by a user

      • 4ebgZl.exe (PID: 5696)
      • cmd.exe (PID: 7528)
      • mNV1fh.exe (PID: 7948)

    • Creates files or folders in the user directory

      • 4ebgZl.exe (PID: 1684)

    • Changes file name

      • cmd.exe (PID: 3140)

    • FOR cycle in command line

      • cmd.exe (PID: 3140)

    • There is functionality for taking screenshot (YARA)

      • mNV1fh.exe (PID: 3416)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
368
Monitored processes
217
Malicious processes
14
Suspicious processes
30

Behavior graph

Click at the process to see the details
start zmh8535663201.exe no specs zmh8535663201.exe 4ebgzl.exe cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs 4ebgzl.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs #GH0ST mnv1fh.exe mnv1fh.exe no specs 3nkcvb.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs icacls.exe no specs net.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs net1.exe no specs mnv1fh.exe no specs icacls.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs schtasks.exe no specs net1.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs mnv1fh.exe no specs 3nkcvb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
572cmd.exe /c icacls "C:\Program Files (x86)\mNV1fh" /grant:r Users:(OI)(CI)(RX) /deny Users:(OI)(CI)(DC)C:\Windows\SysWOW64\cmd.exemNV1fh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
684icacls "C:\Users\Public\7oshG0\msadox.tb" /grant:r Users:(RX) /deny Users:(DE)C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
736icacls C:\Windows\System32\wuaueng_BAK.dll /remove *S-1-1-0 C:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
800"C:\Program Files (x86)\VkNOoy0m\3NKcVB.exe"C:\Program Files (x86)\VkNOoy0m\3NKcVB.exesvchost.exe
User:
admin
Company:
Speech Processing Solutions GmbH
Integrity Level:
HIGH
Description:
Philips Speech Driver Client Configuration
Exit code:
0
Version:
4.7.471.07
Modules
Images
c:\program files (x86)\vknooy0m\3nkcvb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
996icacls C:\Windows\System32\wuaueng.dll /grant *S-1-1-0:F C:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1112cmd.exe /c icacls "C:\Users\Public\7oshG0\4ebgZl.exe" /grant:r Users:(RX) /deny Users:(DE)C:\Windows\System32\cmd.exe4ebgZl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180SCHTASKS /Delete /TN "Task1" /FC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1192SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
19 983
Read events
19 952
Write events
31
Delete events
0

Modification events

(PID) Process:(6792) zmh8535663201.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\JDBCC
Operation:writeName:data
Value:
77396E586B42506C4168613673396F38616B5A46573530354C5843386F34536B2A2F26FEFD4711D17C90FEFE869C879D9799D09C8D96FEFE4CE5FEFECFC6CBD0CDFEFEFE
(PID) Process:(1684) 4ebgZl.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Tencent SecurityHealth
Value:
"C:\Users\Public\7oshG0\4ebgZl.exe"
(PID) Process:(1684) 4ebgZl.exeKey:HKEY_CURRENT_USER\SOFTWARE\ODBDC
Operation:writeName:revbs
Value:
1
(PID) Process:(7296) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\Public\7oshG0
Value:
0
(PID) Process:(1684) 4ebgZl.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\PermissionManager
Operation:writeName:PermProcessed_12387126252193074910
Value:
1
(PID) Process:(1684) 4ebgZl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1684) 4ebgZl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1684) 4ebgZl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8224) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\ProgramData
Value:
0
(PID) Process:(7144) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users
Value:
0
Executable files
7
Suspicious files
4
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
6792zmh8535663201.exeC:\Users\Public\7oshG0\adoresd.dat
MD5:
SHA256:
6792zmh8535663201.exe\Device\Mup:\localhost\pipe\atsvc
MD5:
SHA256:
16844ebgZl.exeC:\Program Files (x86)\mNV1fh\image.png
MD5:
SHA256:
3416mNV1fh.exeC:\Program Files (x86)\VkNOoy0m\image.png
MD5:
SHA256:
6792zmh8535663201.exeC:\Users\Public\7oshG0\msadox.tbbinary
MD5:46270A66DABAC0FCEE25417CB146F1BB
SHA256:886750EC24426462030CBB9F6A4FF21C61A68CC1F0B7A9CDCF3916ACEA5BEC4A
16844ebgZl.exeC:\Windows\System32\CodeIntegrity\SiPolicy.p7bbinary
MD5:C99441A9B83D3866D88ABFDF45894D3D
SHA256:B3F17065ED63B17FFEF175F2979907D8EEF69A76BA4CBD1D9785035A0B1F0A10
3416mNV1fh.exeC:\Windows\System32\drivers\etc\hoststext
MD5:45FB13BC96EB3AAF5C8633F5D63D181D
SHA256:71510F5A478FC44950A155BC66616B38041CC1E13573AEEFAF0D734EF4E88C50
6792zmh8535663201.exeC:\Windows\Temp\ranchserv.jpgexecutable
MD5:99782F5734A8CF2FF40B511590D4A56E
SHA256:F049FE0AB0314C13A661DB7D9FB3EC5026675CD800EF7EC0F19378E34207D589
6792zmh8535663201.exeC:\Users\Public\7oshG0\4ebgZl.exeexecutable
MD5:9EC587911E501B73B7CF09F05D0AE17D
SHA256:676A2A7B94CA2F8EC76352EE656E4D075BB342BD7AD6EFBC7C19C060001EACE7
6792zmh8535663201.exeC:\Users\Public\7oshG0\UxEnhance64.dllexecutable
MD5:77974A2CF38FE6228533B4742D8F71BE
SHA256:45F7A068772A83F459B7FE563B24AD12CF8CAB029461155F0400A9943CCF4549
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
91
TCP/UDP connections
60
DNS requests
23
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
5768
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
5768
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
9108
svchost.exe
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
48.209.138.189:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.5:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5768
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5768
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
9108
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 92.123.104.5
  • 92.123.104.64
  • 92.123.104.9
  • 92.123.104.8
  • 92.123.104.4
  • 92.123.104.7
  • 92.123.104.11
  • 92.123.104.60
  • 92.123.104.10
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 48.209.138.189
  • 48.209.138.168
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.67
  • 20.190.159.128
  • 20.190.159.4
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.23
  • 40.126.31.131
  • 20.190.160.64
  • 20.190.160.128
  • 20.190.160.2
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.131
  • 20.190.160.66
  • 40.126.32.134
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 20.59.87.225
whitelisted
google.com
  • 142.250.154.138
  • 142.250.154.100
  • 142.250.154.101
  • 142.250.154.102
  • 142.250.154.113
  • 142.250.154.139
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
6792
zmh8535663201.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
A Network Trojan was detected
PAYLOAD [ANY.RUN] Encrypted DLL Gh0stRat inside Jpeg
6792
zmh8535663201.exe
A Network Trojan was detected
PAYLOAD [ANY.RUN] Encrypted DLL Gh0stRat inside Jpeg
2232
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
1684
4ebgZl.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
A Network Trojan was detected
PAYLOAD [ANY.RUN] Encrypted DLL Gh0stRat inside Jpeg
1684
4ebgZl.exe
A Network Trojan was detected
PAYLOAD [ANY.RUN] Encrypted DLL Gh0stRat inside Jpeg
Process
Message
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
mNV1fh.exe
Thread running...
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zmh8535663201.exe