File name:

2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch

Full analysis: https://app.any.run/tasks/d4ab714f-0b23-45ad-bc10-462cd8bf26da
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 18:12:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
uac
discord
skuld
stealer
arch-doc
screenshot
crypto-regex
discordgrabber
generic
golang
ip-check
ims-api
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 8 sections
MD5:

355093473251545C6EDB50AAB21A5774

SHA1:

7B43F1D12102CE80B71222594FFBD324EE75C74B

SHA256:

EE818D0DC6FF205EC678A47AA586DD9642C71C4D13F45772DAE5C1EFA1B59C7C

SSDEEP:

98304:Ictab6NLs+o/rlNnTcVoOFt7L8Uzi4faOhgkzajJjQ7nDkHlMPz9Ijlr0/zS14W/:T4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (Modify registry)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)

    • SKULD has been detected

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)
      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)
      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Changes the autorun value in the registry

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Bypass User Account Control (fodhelper)

      • fodhelper.exe (PID: 7084)

    • Changes Windows Defender settings

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Adds path to the Windows Defender exclusion list

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4108)

    • Changes powershell execution policy (Bypass)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Steals credentials from Web Browsers

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Actions looks like stealing of personal data

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 6972)

    • Changes settings for real-time protection

      • powershell.exe (PID: 6972)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 6972)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 6972)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 6972)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 6972)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 6972)

    • DISCORDGRABBER has been detected (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • SKULD has been detected (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

  • SUSPICIOUS

    • Changes default file association

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)

    • Creates or modifies Windows services

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Starts CMD.EXE for commands execution

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)

    • Executable content was dropped or overwritten

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)
      • csc.exe (PID: 5960)

    • Uses WMIC.EXE to obtain Windows Installer data

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Uses ATTRIB.EXE to modify file attributes

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1164)
      • WMIC.exe (PID: 3332)

    • Read disk information to detect sandboxing environments

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5720)
      • WMIC.exe (PID: 2516)

    • Uses WMIC.EXE to obtain operating system information

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Script adds exclusion path to Windows Defender

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Uses NETSH.EXE to obtain data on the network

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • The process bypasses the loading of PowerShell profile settings

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Base64-obfuscated command line is found

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • BASE64 encoded PowerShell command has been detected

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 1276)

    • Uses WMIC.EXE to obtain CPU information

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Uses WMIC.EXE to obtain a list of video controllers

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Script disables Windows Defender's IPS

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Script disables Windows Defender's real-time protection

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5960)

    • Modifies hosts file to alter network resolution

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Found regular expressions for crypto-addresses (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • There is functionality for taking screenshot (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • There is functionality for capture public ip (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Multiple wallet extension IDs have been found

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 4108)

  • INFO

    • Reads the computer name

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)
      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Checks supported languages

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)
      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)
      • csc.exe (PID: 5960)
      • cvtres.exe (PID: 2420)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 5892)
      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Reads security settings of Internet Explorer

      • fodhelper.exe (PID: 7084)
      • WMIC.exe (PID: 1164)
      • WMIC.exe (PID: 5720)
      • WMIC.exe (PID: 1276)
      • WMIC.exe (PID: 2516)
      • WMIC.exe (PID: 3332)
      • WMIC.exe (PID: 7036)
      • notepad.exe (PID: 6576)
      • notepad.exe (PID: 5964)
      • notepad.exe (PID: 900)

    • Creates files or folders in the user directory

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Reads the machine GUID from the registry

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)
      • csc.exe (PID: 5960)

    • Reads the software policy settings

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)
      • slui.exe (PID: 856)

    • Create files in a temporary directory

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)
      • cvtres.exe (PID: 2420)
      • csc.exe (PID: 5960)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4380)
      • powershell.exe (PID: 6972)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4380)
      • powershell.exe (PID: 6972)

    • Manual execution by a user

      • notepad.exe (PID: 6576)
      • notepad.exe (PID: 900)
      • notepad.exe (PID: 5964)

    • Application based on Golang

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Detects GO elliptic curve encryption (YARA)

      • 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe (PID: 4300)

    • Checks proxy server information

      • slui.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4300) 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Discord-Webhook-Tokens (1)1350895550920134686/ueTgZjJrTMbN9wj5aMIyqvGWMRilKU2UI-mtdLnGPvg91h2YDqcdLgVuOI2VjBG_iGT1
Discord-Info-Links
1350895550920134686/ueTgZjJrTMbN9wj5aMIyqvGWMRilKU2UI-mtdLnGPvg91h2YDqcdLgVuOI2VjBG_iGT1
Get Webhook Infohttps://discord.com/api/webhooks/1350895550920134686/ueTgZjJrTMbN9wj5aMIyqvGWMRilKU2UI-mtdLnGPvg91h2YDqcdLgVuOI2VjBG_iGT1
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 5198848
InitializedDataSize: 568832
UninitializedDataSize: -
EntryPoint: 0x77c60
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
29
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #SKULD 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe no specs conhost.exe no specs cmd.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe #DISCORDGRABBER 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe conhost.exe no specs attrib.exe no specs attrib.exe no specs wmic.exe no specs wmic.exe no specs svchost.exe wmic.exe no specs powershell.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs netsh.exe no specs powershell.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs notepad.exe no specs notepad.exe no specs attrib.exe no specs attrib.exe no specs notepad.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
720cmd.exe /C fodhelperC:\Windows\System32\cmd.exe2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
856C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
900"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\logins.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
960fodhelperC:\Windows\System32\fodhelper.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Features On Demand Helper
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fodhelper.exe
c:\windows\system32\ntdll.dll
976"C:\WINDOWS\system32\fodhelper.exe" C:\Windows\System32\fodhelper.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Features On Demand Helper
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fodhelper.exe
c:\windows\system32\ntdll.dll
1164wmic csproduct get UUIDC:\Windows\System32\wbem\WMIC.exe2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1188attrib +h +s C:\Users\admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeC:\Windows\System32\attrib.exe2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1276wmic os get CaptionC:\Windows\System32\wbem\WMIC.exe2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
25 483
Read events
25 475
Write events
7
Delete events
1

Modification events

(PID) Process:(5892) 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(5892) 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete valueName:DelegateExecute
Value:
(PID) Process:(7084) fodhelper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7084) fodhelper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7084) fodhelper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7084) fodhelper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4300) 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr
Operation:writeName:EnableCounterForIoctl
Value:
1
(PID) Process:(4300) 2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Realtek HD Audio Universal Service
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Executable files
2
Suspicious files
7
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
43002025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeC:\Users\admin\AppData\Local\Temp\browsers-temp\admin\Edge\Default\cookies.txttext
MD5:4E7E979B554CE1F04144AAF6C5F6A321
SHA256:DAA03BBC2A5969DD0129DD53FC3FA889BC1938DB3622C1C1B8DA9AA951401C73
4380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1541rqj5.ulz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
43002025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeexecutable
MD5:355093473251545C6EDB50AAB21A5774
SHA256:EE818D0DC6FF205EC678A47AA586DD9642C71C4D13F45772DAE5C1EFA1B59C7C
4380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yhjjty5s.qzf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
43002025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeC:\Users\admin\AppData\Local\Temp\commonfiles-temp\admin\authorunderstanding.pngbinary
MD5:0A5002A1360F7A67473AA80078C90C28
SHA256:49389E808DE427A97C49B091C74E1B5AC14A977F4BBB9A364E1857297205842F
4380powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1C9913D7E4CE5C664CEA45D29BF4316D
SHA256:2A57F3873DD9E0127DFF34C9C024C9203959DCFB32C2E987B4EA449E86AA2A8A
43002025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exeC:\Users\admin\AppData\Local\Temp\browsers.zipcompressed
MD5:91CCE39DE82F6B8B6E3A39EE0E990AC5
SHA256:8B68EAC50D5DB06A5AB81DBA89E0E1E0008B452073D721134181D67599A0AA89
5960csc.exeC:\Users\admin\AppData\Local\Temp\l4j3as1r\l4j3as1r.outtext
MD5:8992467CADB5D13DA6EDAD5F9BEC756C
SHA256:272A39F4879CE56971AA804837898BCB0E393BDC84BE17E1CD6962FC736F2547
5960csc.exeC:\Users\admin\AppData\Local\Temp\l4j3as1r\CSC5060F317658940E8A2D70BE9C5512EF.TMPbinary
MD5:AC49973BCC34157E871B137803935B61
SHA256:2A1299F755273621E0A10812764986C7219D2F321DBF5C13AE9B5E11796BF4FC
2420cvtres.exeC:\Users\admin\AppData\Local\Temp\RESE503.tmpbinary
MD5:7400F869973DB231495B05941C920A5E
SHA256:348254267D0BC42D4493F83D859132C61030F8D8B768E08439F785956EDE706B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
26
DNS requests
8
Threats
38

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
unknown
GET
404
51.91.7.6:443
https://api.gofile.io/getServer
unknown
text
14 b
whitelisted
GET
200
104.26.13.205:443
https://api.ipify.org/
unknown
text
12 b
malicious
POST
162.159.136.232:443
https://discord.com/api/webhooks/1350895550920134686/ueTgZjJrTMbN9wj5aMIyqvGWMRilKU2UI-mtdLnGPvg91h2YDqcdLgVuOI2VjBG_iGT1
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
162.159.128.233:443
https://discord.com/api/webhooks/1350895550920134686/ueTgZjJrTMbN9wj5aMIyqvGWMRilKU2UI-mtdLnGPvg91h2YDqcdLgVuOI2VjBG_iGT1
unknown
whitelisted
POST
162.159.136.232:443
https://discord.com/api/webhooks/1350895550920134686/ueTgZjJrTMbN9wj5aMIyqvGWMRilKU2UI-mtdLnGPvg91h2YDqcdLgVuOI2VjBG_iGT1
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
unknown
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
51.91.7.6:443
api.gofile.io
OVH SAS
FR
unknown
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
162.159.138.232:443
discord.com
CLOUDFLARENET
unknown
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
162.159.137.232:443
discord.com
CLOUDFLARENET
unknown
4424
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
856
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
unknown
google.com
  • 172.217.18.14
unknown
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
unknown
ip-api.com
  • 208.95.112.1
unknown
api.gofile.io
  • 51.91.7.6
  • 45.112.123.126
unknown
discord.com
  • 162.159.138.232
  • 162.159.128.233
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.136.232
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
4300
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_355093473251545c6edb50aab21a5774_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch