File name:

2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch

Full analysis: https://app.any.run/tasks/6e918287-87f7-4fa2-aa2b-a6a1583443b5
Verdict: Malicious activity
Analysis date: May 17, 2025, 18:49:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
discord
websocket
auto-reg
antivm
ip-check
golang
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

1707D5DE5750CD57394485435E92305E

SHA1:

4F928D573BA5050FDEFE363FB468C996C4CB6469

SHA256:

33023EA641D3BF10A41D17DB05B54CF12511E49AE1094BA3FAD3170DD5A28202

SSDEEP:

98304:vGRu6mqc+M6k9EbYIn6AQ+GiBkaOhLrYtUXNLifoi8KPhuy/E/YXIZSCOUbXKON1:H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Uses ATTRIB.EXE to modify file attributes

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)

    • Get information on the list of running processes

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Executable content was dropped or overwritten

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)

    • Starts itself from another location

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)

    • Starts CMD.EXE for commands execution

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • There is functionality for VM detection VMWare (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • There is functionality for VM detection Parallels (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • There is functionality for VM detection VirtualBox (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • There is functionality for capture public ip (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

  • INFO

    • Auto-launch of the file from Registry key

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)

    • Checks supported languages

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 5344)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)

    • Create files in a temporary directory

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • powershell.exe (PID: 6988)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)
      • powershell.exe (PID: 4180)

    • Reads the computer name

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Manual execution by a user

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 6988)
      • powershell.exe (PID: 4180)

    • Reads the software policy settings

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • powershell.exe (PID: 6988)
      • powershell.exe (PID: 4180)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)
      • slui.exe (PID: 5280)

    • Attempting to use instant messaging service

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)

    • Reads the machine GUID from the registry

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Detects GO elliptic curve encryption (YARA)

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Application based on Golang

      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 4200)
      • 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe (PID: 6972)

    • Checks proxy server information

      • slui.exe (PID: 5280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 3420160
InitializedDataSize: 332800
UninitializedDataSize: -
EntryPoint: 0x74780
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
30
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe tasklist.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe tasklist.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe tasklist.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
660tasklistC:\Windows\System32\tasklist.exe2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
668bcdedit.exeC:\Windows\System32\bcdedit.exe2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
720cmd.exe /c C:\Users\admin\Documents\BloxdDuper\BloxdDuper.exeC:\Windows\System32\cmd.exe2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebcdedit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348tasklistC:\Windows\System32\tasklist.exe2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804cmd.exe /c C:\Users\admin\Documents\BloxdDuper\BloxdDuper.exeC:\Windows\System32\cmd.exe2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
30 857
Read events
30 854
Write events
3
Delete events
0

Modification events

(PID) Process:(5344) 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:FFUJD
Value:
"C:\Users\admin\Music\FFUJD-FREHJ\2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe" FMJIE NIL
(PID) Process:(4200) 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exeKey:HKEY_CLASSES_ROOT\ZLFPW
Operation:writeName:SDOS
Value:
0x0001
(PID) Process:(6972) 2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exeKey:HKEY_CLASSES_ROOT\ZLFPW
Operation:writeName:SDOS
Value:
0x0001
Executable files
1
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6148powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5joerqa5.uno.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4180powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5t5fcjuy.pbi.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6988powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:045E5E03442F8C0A844B914C07B19555
SHA256:343CA7DEF67B641E1F3F2A9ED01FABF9447FBE5A680D775B449C64BD7DB959A9
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3eigmvk4.zco.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_533rznlh.bqn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gjpwc0wq.uk3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0red3fwn.yap.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4180powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zfp5kelb.ar1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6148powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vcyx0xgi.lpk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
53442025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exeC:\Users\admin\Music\FFUJD-FREHJ\2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exeexecutable
MD5:1707D5DE5750CD57394485435E92305E
SHA256:33023EA641D3BF10A41D17DB05B54CF12511E49AE1094BA3FAD3170DD5A28202
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
30
DNS requests
8
Threats
54

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4200
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
162.159.135.233:443
cdn.discordapp.com
CLOUDFLARENET
whitelisted
4200
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
162.159.138.232:443
discord.com
CLOUDFLARENET
whitelisted
4200
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
162.159.133.234:443
gateway.discord.gg
CLOUDFLARENET
whitelisted
6972
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
162.159.135.233:443
cdn.discordapp.com
CLOUDFLARENET
whitelisted
6972
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
162.159.138.232:443
discord.com
CLOUDFLARENET
whitelisted
6972
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
162.159.133.234:443
gateway.discord.gg
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.130.233
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.133.233
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.128.233
  • 162.159.135.232
whitelisted
gateway.discord.gg
  • 162.159.133.234
  • 162.159.130.234
  • 162.159.135.234
  • 162.159.136.234
  • 162.159.134.234
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4200
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO ZIP File Download Request via Discord
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4200
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4200
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
Misc activity
ET USER_AGENTS Discord Bot User-Agent Observed (DiscordBot)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_1707d5de5750cd57394485435e92305e_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch