File name:	2025-03-24_ac1910a1f003290a10b7d33db8af72e7_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
Full analysis:	https://app.any.run/tasks/d20d14a7-40d8-4566-b92e-d4ddb86ece2d
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 22:38:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:	AC1910A1F003290A10B7D33DB8AF72E7
SHA1:	F28D31D8F2CC9B5AE5D7F777F85C786DA0848D3A
SHA256:	00C98CB5F859E6FB7A08B0B098F38644E132A3D17AE11AC2453341E5967177A3
SSDEEP:	98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnVT:w0JF

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	1319424
InitializedDataSize:	226816
UninitializedDataSize:	-
EntryPoint:	0x63740
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line


(PID) Process:	(5260) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5260) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5260) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6384) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6384) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6384) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2568) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2568) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2568) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2644) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

PID	Process	Filename		Type
6384	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7ac6f1d1-8cae-4a6c-9751-3a729e364076.down_data		—
		MD5:—	SHA256:—
2504	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a4c3758d-2662-43e5-bd90-75aa3209c05c.down_data		—
		MD5:—	SHA256:—
6384	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aff47a94-b98e-4439-8c88-a1a805b83b00.ad671fcc-ca02-466f-b59d-a70ee5b629ec.down_meta		binary
		MD5:34321A8996F45E9F47158CB2CC6E61C5	SHA256:13B6E067C525EB1088208EA3E7DEA318BF5F2D11925525072A28D62000ADF582
6384	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7ac6f1d1-8cae-4a6c-9751-3a729e364076.ad671fcc-ca02-466f-b59d-a70ee5b629ec.down_meta		binary
		MD5:34321A8996F45E9F47158CB2CC6E61C5	SHA256:13B6E067C525EB1088208EA3E7DEA318BF5F2D11925525072A28D62000ADF582
2504	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\ed10e4dc-53a9-47f7-9f31-a48b044e5b7a.up_meta_secure		binary
		MD5:B5FE1832CC8A0511A10E7F09425C64C4	SHA256:AF047A295169D1836C1CB473250129321045171ED5BC85C43750C0771A48B852
2504	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a4c3758d-2662-43e5-bd90-75aa3209c05c.f574ac81-f5e9-49ef-b6a5-9645a46b1c62.down_meta		binary
		MD5:833D4591908B7BFC698BEE6845AEF8BF	SHA256:E162929DE31D5C6B14889820AEDBCD15F2E4D35BDA4FEFACCD0F9E8B8A833BCB
6384	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aff47a94-b98e-4439-8c88-a1a805b83b00.up_meta_secure		binary
		MD5:DA9CC1EBBDF6156FDC5843F7B3926DCC	SHA256:99A5A2B46D1F137CAEA21E51F671882D9DB1DD308574F794C6550EDD7A271C37
2504	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\ed10e4dc-53a9-47f7-9f31-a48b044e5b7a.f574ac81-f5e9-49ef-b6a5-9645a46b1c62.down_meta		binary
		MD5:833D4591908B7BFC698BEE6845AEF8BF	SHA256:E162929DE31D5C6B14889820AEDBCD15F2E4D35BDA4FEFACCD0F9E8B8A833BCB
1116	2025-03-24_ac1910a1f003290a10b7d33db8af72e7_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini		executable
		MD5:714CAD7155360AAEAFB39BC3D7869253	SHA256:571296B44D9F9FA1517F61273592298C310B0A4C3E6683CC446B8841A45C5C25

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	40.69.42.241:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
1300	SIHClient.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
1300	SIHClient.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1300	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	4.175.87.197:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
1300	SIHClient.exe	GET	200	95.101.54.128:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1300	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1300	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1300	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2236	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1300	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1300	SIHClient.exe	95.101.54.128:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1300	SIHClient.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
1300	SIHClient.exe	20.3.187.198:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	40.115.3.253 40.113.103.199	whitelisted
login.live.com	20.190.159.68 40.126.31.2 40.126.31.131 40.126.31.67 20.190.159.71 20.190.159.130 20.190.159.75 40.126.31.129 40.126.31.73 40.126.31.130 40.126.31.0 20.190.159.73 20.190.159.64	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
crl.microsoft.com	95.101.54.128 95.101.54.122	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
www.bing.com	2.19.122.56 2.19.122.39 2.19.122.55 2.19.122.52 2.19.122.34 2.19.122.46 2.19.122.61 2.19.122.60 2.19.122.59	whitelisted

General Info

2025-03-24_ac1910a1f003290a10b7d33db8af72e7_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch

AC1910A1F003290A10B7D33DB8AF72E7

F28D31D8F2CC9B5AE5D7F777F85C786DA0848D3A

00C98CB5F859E6FB7A08B0B098F38644E132A3D17AE11AC2453341E5967177A3

98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnVT:w0JF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RANSOMWARE has been detected

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Executable content was dropped or overwritten

INFO

Checks supported languages

Checks proxy server information

Detects GO elliptic curve encryption (YARA)

Application based on Golang

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings