File name:

2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch

Full analysis: https://app.any.run/tasks/9f2d81bf-e18b-4193-bf4b-1abbe257688e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 23:34:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
gofing
fileinfector
golang
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 13 sections
MD5:

F4693ECB719AC6FA7FFE2FBDDDF62CCA

SHA1:

72777DA86BB1E4BDE1EFB8659A063BAD6A27580D

SHA256:

4DA71AF990319F9322DA138DD69263C26010E72E7500639D6A286ACA186CE46D

SSDEEP:

98304:/i6phhlaOhMkaIGzDJseMoC+xudYv3FE/ao3PYIuPZHaTH7inCnVn:w0JR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RANSOMWARE has been detected

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • GOFING has been detected (YARA)

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Steals credentials from Web Browsers

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Actions looks like stealing of personal data

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Modifies files in the Chrome extension folder

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Executable content was dropped or overwritten

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Suspicious files were dropped or overwritten

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

  • INFO

    • Checks supported languages

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Creates files in the program directory

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Creates files or folders in the user directory

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Application based on Golang

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Checks proxy server information

      • slui.exe (PID: 5724)

    • Detects GO elliptic curve encryption (YARA)

      • 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe (PID: 1568)

    • Reads the software policy settings

      • slui.exe (PID: 5724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 1319424
InitializedDataSize: 226816
UninitializedDataSize: -
EntryPoint: 0x63740
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1568"C:\Users\admin\Desktop\2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe" C:\Users\admin\Desktop\2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5724C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 670
Read events
3 670
Write events
0
Delete events
0

Modification events

No data
Executable files
426
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcroRdrDCx64Upd2300820470_MUI.msp
MD5:
SHA256:
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\MF\Pending.GRLexecutable
MD5:3DF28E73FC2888801E847F162DA34154
SHA256:4AF7DB3E0DEEF1C50A2F61575067917DA7D2EAD01B54344309F1C151F516ACC7
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.iniexecutable
MD5:EA204F903BB413473D90C0F1FE38DA4F
SHA256:6214EE29DCCA43DB5F942AEF6EED01243CCD6E8986A5418E10DAC954BD53B6F9
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\AcrobatDCx64Manifest3.msiexecutable
MD5:B7DCF9D4362EE0339CC953EE7B67AF08
SHA256:95D273DB80404825AF14451B7A365751273C2334F67A85463F2CFA2C00E90658
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_MicrosoftEdgeUpd_344a8180346ca76892ce216b982cf822c61fbb7_00000000_71683ae8-b291-43e9-ae7c-85522da87a4d\Report.werexecutable
MD5:A43FD90FE222B5C49CAC843491B72DAC
SHA256:5DFF296A474F5A1AF8E86E30BCE0FCA795D79AACD1CC90E42CF69ECC38E0C322
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\0705cb32-67a0-4f07-a729-97d547d79346executable
MD5:19DCDD5E189405C278C660AE0B6EE8A1
SHA256:4A68DB59DFE722D85DAA21A9494D305051B9DD394FAFE6B2D41494C5DFE07CDE
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\16ab3579-ceca-43a8-9d5a-b14749faa335executable
MD5:9B7CC5DCC73BC5EF16E98EFD43EBA3E4
SHA256:C1122C91E076AE163D1916C1F032E1321617CB5512CE9F554FC65C8210BC57A5
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\11e41899-2897-4b03-864c-aa991f90f535executable
MD5:2ACB5F3E52DC330489052A5C38BA3153
SHA256:E8F06B8A01A5A0E8B4CD9F53C2111EE2B4567241620F6C9187C04F43A99A2147
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\0cd8943f-710d-4553-a270-0fc0638602acexecutable
MD5:D08A0E57DDE70EC78D3A52FE98E1C851
SHA256:8D016E6E04DDB775C122DD146DE01FBBD360CA577E6462E9D46A859FFBCAC6A6
15682025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exeC:\ProgramData\Microsoft\Windows\WER\Temp\0def51e6-0c6e-4245-b5c0-45657704a6a2executable
MD5:0D0BBDF41CA9183F74E3A82F5D667344
SHA256:CA4218CDE19F442C6489768CADE1C55A3BA41D2B4FB8FD844A6F788760BDB45E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2324
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
2324
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
204
2.16.204.141:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2324
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
2324
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.52.64.200
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_f4693ecb719ac6fa7ffe2fbdddf62cca_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch