gofing | 735201ab01cef7f438c8ab43fc13a4eb40020f03fee74aa98cd1a0ebb894182e

Analysis

max time kernel
118s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

12.3MB
MD5

004695a17ca34f02437fe7be63e42583
SHA1

f727f8d75084a4265bc893a4fb9f6620fd0e5420
SHA256

735201ab01cef7f438c8ab43fc13a4eb40020f03fee74aa98cd1a0ebb894182e
SHA512

dc4503a84fc01ac78409b86664338bce17245c8a92e78a858a5d09bdf39376182c1f2db3bd88888d8994d15cccacda354b200e05e680407a994ec9fb5f86ecfa
SSDEEP

196608:pWvSDzaxztQVyTNFl/hlLp2c8t3k/gjGyah9br+sFPOJ1yd+upRDXNfA:8KVIXl/hlN2c43k/02bqsFDdrzfA

Score

10^/10

gofing ransomware

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 25 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022a74-4.dat	family_gofing
behavioral2/files/0x0002000000021965-5522.dat	family_gofing
behavioral2/files/0x0002000000021965-5521.dat	family_gofing
behavioral2/files/0x0002000000021965-5520.dat	family_gofing
behavioral2/files/0x0002000000021965-5528.dat	family_gofing
behavioral2/files/0x0002000000021965-5534.dat	family_gofing
behavioral2/files/0x0002000000021965-5533.dat	family_gofing
behavioral2/files/0x0002000000021965-5532.dat	family_gofing
behavioral2/files/0x0002000000021965-5531.dat	family_gofing
behavioral2/files/0x0002000000021965-5530.dat	family_gofing
behavioral2/files/0x0002000000021965-5527.dat	family_gofing
behavioral2/files/0x0002000000021965-5526.dat	family_gofing
behavioral2/files/0x0002000000021965-5525.dat	family_gofing
behavioral2/files/0x0002000000021965-5524.dat	family_gofing
behavioral2/files/0x0002000000021965-5523.dat	family_gofing
behavioral2/files/0x0002000000021965-5519.dat	family_gofing
behavioral2/files/0x0002000000021965-5517.dat	family_gofing
behavioral2/files/0x0002000000021965-5516.dat	family_gofing
behavioral2/files/0x0002000000021965-5540.dat	family_gofing
behavioral2/files/0x0002000000021965-5538.dat	family_gofing
behavioral2/files/0x0002000000021965-5537.dat	family_gofing
behavioral2/files/0x0002000000021965-5545.dat	family_gofing
behavioral2/files/0x0002000000021965-5544.dat	family_gofing
behavioral2/files/0x0002000000021965-5542.dat	family_gofing
behavioral2/files/0x0002000000021965-5541.dat	family_gofing

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\$Recycle.Bin\S-1-5-21-3342763580-2723508992-2885672917-1000\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-48.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-125.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-black.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-125_contrast-white.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-125.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-100.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircleHover.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\offlineStrings.js	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-125.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-200.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_et.json	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymk.ttf	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-30_altform-unplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\lpcstrings.json	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-100.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-125.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-lightunplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-150.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96_altform-unplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_variant1_v3.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
4.2MB

MD5
09720c09a1e4021b36a0d2bbe6bf9ed5

SHA1
de35af54afd90549b0c746e32661e76bad7e0978

SHA256
1d341ce84aa912f82df0ab86e98e56d32ce396fcd66a07b963625a8f2417b7c3

SHA512
594220539d60d62ca2f8e71198e179e93f2b47d37b5e3a8bb1c319aefd925dacd66e5d723f1005963a3f6d1a19e81953d5e4cd713eb2853072c01eddc5ec000c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.2MB

MD5
c807a7e1fd3a062ee2b3c62f174384e2

SHA1
c812d01af47673ce4f3456a8f4931a30c0c504db

SHA256
d846abcf43e0e32881218f9e76dddac4ac37393ac7a9c037242a1f0d79e0f942

SHA512
67348d7cf61f820d1d2602c7bcc8843f2dd67e8f561f1e20c588bcae74dcea7d9054753d1c417a1d04ee4958de17defb7a157181c33667d51e0f123daad97139

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.1MB

MD5
93ace96cfe78916ff837de5298edcdfa

SHA1
f8ab7436ccff4b768465b179b228ccd5a5331b6b

SHA256
f7de29011d7e4adaa09c1f233cd1b952f7a2b162497aed5d8f9079f599fb80ef

SHA512
5de56476af91361f76f5ddfafc5cc3bf77162c47a0e9f92caaa6f1fc5ce79413499a36e6c4c78532d3b8dbb57d1ebecd932e316edf0e7df5e0cc893c04b0fd61

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.8MB

MD5
ea32be03594c09ff6679e9ef8c0d7d98

SHA1
3a4c59b516281e99a100db39df587b7eb7702c4c

SHA256
adf04efd02780eab28407165ef5f405d101a2cd94d75d3086cf1cc8c319ae87c

SHA512
1f9bf3c7e59c059babc278547134926886be273cf74b5b18dd3c9052acf72e537fae95b3c2081dbb8af07cf4b7dfe4fec816d446922e347c408411a81c6ed6bf

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.6MB

MD5
d031ca299f4c07d5052275f793b2fbd9

SHA1
7c9885045c869e3c350f4e5c5bb84ccd046e2614

SHA256
64a3c9df364a36cac7b6cba735da9e40f46c896f13673b920aebf5dfb782f41d

SHA512
bf0a71a82bb353b00e81881263c0b2cbaa4e58ed678cc7eb993f9acb961067798db48cd77296b764eaa0f63df95629e2aae6c877e2faf081b2920424c6961938

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.5MB

MD5
d3de6d1b86e1e296d7e190444713b9f9

SHA1
29577f6bdd8dec9e9805bc2d494948a9ba7f4333

SHA256
af148aeb22fe17717d6dc90bb7606745ccd32ab42470d165418432f5eeab338d

SHA512
c34b7d0b1a2f167a0ea38574c9168b702a62e28bd25893d6e99a831de2bfbd1afc2acba281c040ee0c83d9f5ce5e1c8cab1a97793515d1530e723aa3bd0c5632

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.0MB

MD5
c08ed3a21a57769715fdf948061e75b7

SHA1
22be567e32b3c24fca17df069127817e0fccce56

SHA256
4d4076999a41dc4eb66cc50eebd54a00d2c0c2e7a8fa85f0031a45458e6c2372

SHA512
07e2847f2931e8444378f954083373048bc2f2cbe0d871fc606ee5621a03add561d8bd49e54deb8c727fc387a0cded3b3f369522d0383c7eb5c55bc4f57dad5f

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.0MB

MD5
db3c40b09b99368f9a0212573fe9d2eb

SHA1
3ac8aa8ba84808aad395989ffea136730d4594da

SHA256
3f9a4aba51a29b036c444be8c723e014438fbec8c22873fc15da55e84c3c7d9c

SHA512
8745b4f3ec9d18830b91cc4cb225842b502ffb5bf0135de19973ceaf50844391dc8f3292901a700178db2e508f1abc65cfc3b1cc90f7a3c251022bc42eb09c11

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.6MB

MD5
3f10698f543d43857124f094034fec4b

SHA1
60f12f06ac300fb5dc9d0f076f392bf3a9908b7a

SHA256
aff0468aff94e55f1b86e2921d8f61fa769218eb07bdf6288a2f69702728f3d3

SHA512
aa42c3d477f1b535a8c2450c03f12012da6a404fbe06d45b4615de9518a2627b0f96aa7107a5e90398aeee13570dad1e4bd47afaba45cd015e987e489ef4c909

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.1MB

MD5
df7338521fca26005704ad19a1fa486d

SHA1
2c67a50858f904067e6616c6a8333279c90857b3

SHA256
8f865ca6dbcc560accef257f7b5987f2c5224ec631b53fae3a7ba05db6a0d296

SHA512
6beedaf9b2396e485a42da90185a81e4395b64c6cb33a8cbaf09ec4f67734542d1e5e9ff44c83c32accd054ca0c2e2cbaf7058e56afd982a4e2902362f8eb161

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.9MB

MD5
462161f827df125b51a6f22cdc207d51

SHA1
9775d9212cfa2869f9ec3993e6644d18a25cd198

SHA256
fdbeab55369ef7606d56063f5b8e4a7870b6a8102e2026713cd8ada5b129ec86

SHA512
1b263042ca42f44ea477c654a962db14bd1def56862764d04353332d68f3317633348dd4ae16c0c46014b5de34ee08c236f43a5eb515cd0bc067563934cc6705

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.6MB

MD5
18419682dd36b5a3d16bc37a616fb952

SHA1
6d8d33cf462d9d045d99883c637d7402d21a0b9a

SHA256
0cb3b9f6d90b2fc0929906839d74ec53e16814f0d893cb7af0bbd8b830bacf32

SHA512
77703e0c9655f19fed9923fc73307d8bf4a3489249d2aac7b8b43ef34599a0515bd56356dd61836f2f66721e643d0239c811fbfe3fc8f0f802461dfd8c4d26ec

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.9MB

MD5
b8e097e4c130a6e37b53124f1f7d025a

SHA1
31b3ec4773c2348323348ce10e1f21c762fe6f2f

SHA256
c6cd3c10cba93d794743538318710183919b836a562280cffb072c4453f8440a

SHA512
afdebe7452345d8e53a90a1eb035210642bc61018f2daddfe05bd1e6288f1617d3f4b97b823d9430e4e1e9821f738ee95df22b29a2e7217db51e40458d841118

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.1MB

MD5
4f66f4e496b7e7b65b8c8da618e7f47b

SHA1
6093d7dea93fb848fb1d991759c5aca26f73cfc3

SHA256
9c1f18664e1faefd9a89b773bf4a9c1be6b0794020ec90f897b3e60f17b66523

SHA512
27cba992a30efa2720fef93e3b5fccff2982eed38f399cd25d670c0dec8f56fdaf1fa80e69dca4910f49dde687cbd46b8b741e996ad9b303ce317bb4e8d20b62

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.5MB

MD5
3ac509e8fdf8398c91545e055b15d6b7

SHA1
b52668d401f4d0f129f87cdc90745caaf39e2614

SHA256
0730a828c42ce03489b890e854ffe2301d24d9408d3edec2f6fd828a0b5791d9

SHA512
82a41846c03c7730bccb4598781a16b4fb2d035825fa9bad0022774212cef411e87bb46351ebb8edece3990a0882ed823b3b42e144047274bcc44b9faeecd7e3

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.4MB

MD5
d4be28a440a8fc6e4b966fe543a044f7

SHA1
643dd44eebe1278b0c6c85739ee42fd0e1bc6f15

SHA256
2e06da0f22583c96145ea5bf442014ee48992ce07412a4a284aa44bfa2c77e64

SHA512
01d06683c490f68a1925ff2c5f50156a40063fdebd7dd7896a419e9e6beefe304f2351a3d20f69dea4c95772f274a82ac9251ed9833cb4f0b735f90b5c329d77

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.4MB

MD5
9b94e27424a1fca23b76a785a7e9ef62

SHA1
75c4f7ec83e95d5a2bda56eeeaef877bc89c0580

SHA256
f514817ee2454bd4053ea1cc33ab01aec9cdd44b5769715d722ecbaddc7388b4

SHA512
268fa33c7c52e1c6142cbe68a1afa3361b7dea64dbdb7a9e12ea2f8feba379ce099bbce57d38d92333ee33ecd98202531ad1e2243f0d4366503568fd4ce1d6d4

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.1MB

MD5
a6f590cc959d90f86188fb45c8132731

SHA1
08dc46e2d0e155359527d52fbab2609c0f6a60f4

SHA256
a122ae900f5b5e27f6d91dc98d89cbc60ae1e24c7af1b604fbac2ca2282fe2ed

SHA512
ca207030375734705326c502f448e01c0581216376b1d18967b5e319dfc601e0bcc3240e642204d396ef95b6cf2b758c07ad52d7fa6727285910ca1acc32eeb1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
3.1MB

MD5
d5161f9eae70e3171b2041a714a58343

SHA1
f58d4ca8ac2381af977d86d1e011d93860fb0b9c

SHA256
def334b5e2a01251d18fffc65c136192b0c339a05db0138dff8e4baac4c933b7

SHA512
9e339dd8eb2898cd9accaf07785915f79f031df5a5d72bf12d0ba75d5afba4f64fdae435a06affc1499377909ca577cab92026d413c52dae46af410473c35ee9

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.4MB

MD5
334d5879775fb56a304688e3b74d9fa9

SHA1
6feefbcb832d0145a875759166d0a92806b11282

SHA256
7f752171e6d37d0585e264d9912f43c84dddb3349611001b73c4e0abd12937b4

SHA512
16ebd3a93450314eef8c78e3d6a7d7c2c94d6c669d2d13eacfead3e02f7f2d68e28829079b399a0126a494d6719eee95a6f716daeaaef0916b85b17f57e1d6a5

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.6MB

MD5
3a8250e20ac3cce7253a43cca5a16687

SHA1
554f4edd75d62f1c85ed8274ffdef6b4a7e15e55

SHA256
fb4c7b6fe2fe5b158ad830ef454cd587e72e25172ab24e5473f5efead501ca06

SHA512
dd8ce2ee9c74f31fb913d38c49ae053101d1791a9f9ab13f8f325cfc343bf432098c8d6b205b54f960d3f62326d9151810434cd9249c12e618318f8a89fa4956

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.4MB

MD5
00851723438261858bc99f44c4049a8a

SHA1
b842b5a074c3005342e991b53278a43444bf01c0

SHA256
d30248dd26f9535e85951cdb7f88689143a7782f2444e310b210cedfa7cc531f

SHA512
e2d0aec0cfc1e88bc4e2f910bac856bc36c5b5c92e5a798aa9e011926572bc61fb2564f11e2bf7907db7f42adaf5cfec045d9eb6afa8c05dfbb7753dd48b98d1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.6MB

MD5
7cf17259a448b6f4365f8faa629faf13

SHA1
c84d3c640cee9084a9fedd9b2652163e7d321391

SHA256
14c3668ceecbb55130eea10171642d8ad9ce3515cee2eb7f5a4cc34ca1be82f5

SHA512
0b9c46a28c601fb1e66cdb6759bbbf33f827ccbbc24ec8033238fe4d48ea1443ecbff5d02c988bfd7cded0d61b898c048ffa4c9486541f8b6f51df101534a508

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.9MB

MD5
d601f6ca15510fb102f7bad7b47c6b15

SHA1
9f892a8d3a9746f22d321bf3dd3096d6b64ce341

SHA256
b1b8f916ef5f90811429aca540ecf11ea657cb1ecbddccec31aa3295fb7182cd

SHA512
4bc63702904b926374f77d7055b44fdff469a03524fc7f359c1f6b941135f7001fe760d8a1d070cd2940286d13fee50aaefff74d5306f9010d5620ec7dc115a8

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.6MB

MD5
91840d0f59bb81b88c2467c69eb1c613

SHA1
28824a5dae4c7640a9733410ed646e60ed48c14d

SHA256
1277b8a3e2f22c9af7b34d09c68c1746482693c77eeffba15aa9e90d08c31b4e

SHA512
c17e72f5a6621a14b346e1c539f24179f42f93d133b04ee2b660634f516ca30c19e1dd6109790a6107e41e9ed146e56abc38717991dcc66cb562a2059412de0e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
2.0MB

MD5
46e6ade003d52a863fca62e69713f426

SHA1
8ad47f6ace20ac13d6ad259cc1f620c3b622ffb9

SHA256
928712c8f6d0e0922326704959397d3c495c52c4730566f138683fa2cd5b207a

SHA512
47c87fa9b183f8993ec0b1eb2494773a8ac201e6669fd8238e58e780024e38b1c3ab11db06ba76c0f33e3f9f378958677638fd8525f3054c020a9c2226bff6d0

Download Submit