File name:

d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de

Full analysis: https://app.any.run/tasks/2ab53040-606a-442b-a0f9-97e4b63ef293
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 04:02:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
rat
auto-startup
auto-reg
aspack
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
MD5:

B1868BB51EE03BD0339C2C99B320839C

SHA1:

DCD472E78EBC8B58C746C5814DC29ECF56566309

SHA256:

D7A30A3980F42AF5DBD133F9FB92C2AB794C7D88CF38C2623A7AE250234D47DE

SSDEEP:

49152:0DHSB6N/boH2a7cS1r7x88988Nt2874rdrhnzl+li50SSSf5vZWnAE4hfYVcPw1+:0DHSBU/boH2aQ8uLrdRzwY50SSSf5hq8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST mutex has been found

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)
      • svchcst.exe (PID: 5628)

    • Create files in the Startup directory

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Changes the autorun value in the registry

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 4160)
      • wscript.exe (PID: 516)
      • wscript.exe (PID: 6640)
      • wscript.exe (PID: 6852)
      • wscript.exe (PID: 3520)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Reads security settings of Internet Explorer

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • The process executes VB scripts

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 6640)
      • wscript.exe (PID: 4160)
      • wscript.exe (PID: 516)
      • wscript.exe (PID: 6852)
      • wscript.exe (PID: 3520)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 4160)
      • wscript.exe (PID: 3520)
      • wscript.exe (PID: 516)
      • wscript.exe (PID: 6640)
      • wscript.exe (PID: 6852)

    • There is functionality for enable RDP (YARA)

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Connects to unusual port

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • There is functionality for taking screenshot (YARA)

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

  • INFO

    • The sample compiled with chinese language support

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Checks supported languages

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)
      • svchcst.exe (PID: 5628)

    • Creates files or folders in the user directory

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Reads the computer name

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Process checks computer location settings

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Launching a file from the Startup directory

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Launching a file from a Registry key

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)

    • Manual execution by a user

      • svchcst.exe (PID: 5628)

    • Checks proxy server information

      • slui.exe (PID: 6492)

    • Reads the software policy settings

      • slui.exe (PID: 6492)

    • Aspack has been detected

      • d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe (PID: 1212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (83)
.exe | Win32 Executable (generic) (9)
.exe | Generic Win/DOS Executable (3.9)
.exe | DOS Executable Generic (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:08:01 10:15:04+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 909312
InitializedDataSize: 241664
UninitializedDataSize: -
EntryPoint: 0xbd080
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 本程序使用“黑月 - 应用程序向导”生成
ProductName: 黑月窗口程序
ProductVersion: 1.0.0.0
CompanyName: 邓学彬(泪闯天涯)
LegalCopyright: 邓学彬(泪闯天涯) 版权所有
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GH0ST d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs #GH0ST svchcst.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exed7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1212"C:\Users\admin\Desktop\d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe" C:\Users\admin\Desktop\d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3520"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exed7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4160"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exed7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5628C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
explorer.exe
User:
admin
Company:
邓学彬(泪闯天涯)
Integrity Level:
MEDIUM
Description:
本程序使用“黑月 - 应用程序向导”生成
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6492C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6640"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exed7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6852"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exed7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11 860
Read events
11 846
Write events
14
Delete events
0

Modification events

(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100005D54A9A2C2A0B4429708A0B2BADD77C87D000000
(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000010901EF8A46ECE11A7FF00AA003CA9F68C000000
(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000010901EF8A46ECE11A7FF00AA003CA9F69C000000
(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
F42E566800000000
(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:360safo
Value:
C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
(PID) Process:(1212) d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:360sofe
Value:
C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
Executable files
2
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1212d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeC:\Users\admin\AppData\Roaming\svchcst.exeexecutable
MD5:B1868BB51EE03BD0339C2C99B320839C
SHA256:D7A30A3980F42AF5DBD133F9FB92C2AB794C7D88CF38C2623A7AE250234D47DE
1212d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnkbinary
MD5:F2942101778B1DC853513B9D6E6EC15D
SHA256:33B9122A653E3798B8571576E98AA58C84BFB23FD63A12DBFA747161837F599A
1212d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:609C223A8AA7D3F9557D5944B0024887
SHA256:C526A3967D7DAFB6E79A208C4AA30F4147B6A27687405F7C1C766A69B1B03F58
1212d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeC:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbstext
MD5:13B919F4139007306014A56D4494A2D5
SHA256:F9D47904FB9D9CA55D94D93C7450EDE5D1C14D762DE3C57564607188B34098DF
1212d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exeC:\Users\admin\AppData\Roaming\Microsoft\Config.initext
MD5:5611518085F0E601B7AF262B73CA1E21
SHA256:8E59E3DC5427519534AF0CFB2713D94388D03240F4F6D2C9EC6A13DB1D9812AB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
472
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
472
RUXIMICS.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1212
d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de.exe
192.168.145.128:8282
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.12
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.50.201.195
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d7a30a3980f42af5dbd133f9fb92c2ab794c7d88cf38c2623a7ae250234d47de