gofing | 735201ab01cef7f438c8ab43fc13a4eb40020f03fee74aa98cd1a0ebb894182e

Analysis

max time kernel
101s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

12.3MB
MD5

004695a17ca34f02437fe7be63e42583
SHA1

f727f8d75084a4265bc893a4fb9f6620fd0e5420
SHA256

735201ab01cef7f438c8ab43fc13a4eb40020f03fee74aa98cd1a0ebb894182e
SHA512

dc4503a84fc01ac78409b86664338bce17245c8a92e78a858a5d09bdf39376182c1f2db3bd88888d8994d15cccacda354b200e05e680407a994ec9fb5f86ecfa
SSDEEP

196608:pWvSDzaxztQVyTNFl/hlLp2c8t3k/gjGyah9br+sFPOJ1yd+upRDXNfA:8KVIXl/hlN2c43k/02bqsFDdrzfA

Score

10^/10

gofing credential_access ransomware spyware stealer

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 18 IoCs

resource	yara_rule
behavioral2/files/0x00030000000229fc-4.dat	family_gofing
behavioral2/files/0x0002000000021e25-5428.dat	family_gofing
behavioral2/files/0x0002000000021df0-5436.dat	family_gofing
behavioral2/files/0x0002000000021df0-5456.dat	family_gofing
behavioral2/files/0x0002000000021df0-5449.dat	family_gofing
behavioral2/files/0x0002000000021df0-5789.dat	family_gofing
behavioral2/files/0x0002000000021df0-5788.dat	family_gofing
behavioral2/files/0x0002000000021df0-5787.dat	family_gofing
behavioral2/files/0x0002000000021df0-5798.dat	family_gofing
behavioral2/files/0x0002000000021df0-5797.dat	family_gofing
behavioral2/files/0x0002000000021df0-5810.dat	family_gofing
behavioral2/files/0x0002000000021df0-5808.dat	family_gofing
behavioral2/files/0x0002000000021df0-5805.dat	family_gofing
behavioral2/files/0x0002000000021df0-5803.dat	family_gofing
behavioral2/files/0x0002000000021df0-5801.dat	family_gofing
behavioral2/files/0x0002000000021df0-5799.dat	family_gofing
behavioral2/files/0x0002000000021df0-5794.dat	family_gofing
behavioral2/files/0x0002000000021df0-5793.dat	family_gofing

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Loads dropped DLL 30 IoCs

pid	Process
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 15 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\$Recycle.Bin\S-1-5-21-1279544337-3716153908-718418795-1000\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-400.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\de.pak	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\is.pak.DATA	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Inbox.winmd	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBarTasks.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-150.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_game_assist\EdgeGameAssist.msix	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\install.log	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\osfproxyimm.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-lightunplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x86\MSWebp_store.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\Xbox.Smartglass.Loc.xml	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60_altform-unplated.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\msointl30_winrt.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-200.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_multi_filetype.svg	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-125.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-100.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\richedim.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\OfflineError.svg	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\fr.pak.DATA	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-100.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\swscale-5_ms.dll	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-400.png	2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-28_004695a17ca34f02437fe7be63e42583_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
4.2MB

MD5
7b99a308d625bf04dea875d7964fc183

SHA1
39483605e45ec05d5db3b9f8563c661ad2968be6

SHA256
55f3ff968a506b92de0d1708615a43541c7c25ccd8588f8005c1a0de173111c3

SHA512
2908d5b3c766ffbe4c6d8d46559588855dc97c19caa18f09054649cf8d36095bd4c0031f37fbb6c4387da1a52e1f5852a3b9efee313a704da5da6b06311758fa

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
4.4MB

MD5
ac1476af63a44ba76e939d6324b4aa96

SHA1
206019485473bf67b5ad9164394f74d26584a9db

SHA256
07a945a0c14cf077249f1c916182e790219f20b7e15d122fbc59124c5971a2dc

SHA512
ca91fee4efb25016ea6fafc8b689d8bf0e1a089399e4f5de787c9a5668d6047263d3a5e7617098641062d65415513817c47c75de5a153a5e43f0bdb455b34a1e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
4f62b105d56a1a0239a280ecdfec50e3

SHA1
b5f53f35035504a5a5a3c734bb1be584a319eeb6

SHA256
63efe2b2be96d0d3f8d596a255b72537f12082ea11f45509d29db31c3a36aa94

SHA512
0b34bed7b25e59254bab1f39572e1e19b0329952722f497284eb8e9e8eda7fc09df487884e88ea0e9c31a254201bab50765ed3f60f03c15d3e28c4ddc4f2f7db

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
cb1ad51c3069e1ec21dcff8e1f9db965

SHA1
6b976538a2d7e8ff83197c90afb267979777eca8

SHA256
751d3c518b8f2dc9d73baa70ce0e90c28b7b3e5c611d1de600f4b8781353d196

SHA512
33e4d023045c0291a4613bb5f4cd0ab332024c305baa5f8cdae97921aca84c4fb8f518608eac36695a0b439264bb2f24c332d6445e8db1fb5c797ed3ff3e1664

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.3MB

MD5
b573ebed6f81801724c3656ad1626c79

SHA1
690d857e9c36bf9f4bda606e5e8c45e4914c725c

SHA256
90a9d63c590bf20084d4e9686f3fa999369fa81642b64a41e7fb09eac8743935

SHA512
5f4295599b823bc3f5c3c423be9237ddbf0e0ff006cbd7c8772e477b7903c1c083a4722a5fc2c7207bac93011ea45c436de11859d06b6055daf211f7e7523bdc

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.0MB

MD5
0618641dc0e3de25950da59e028dc09f

SHA1
b8a00b344991297789f228001352a54677b91ae1

SHA256
eeb9ad325ca2f50b47ed851bede2f769b64664c4508782c463c56003b5bf10f1

SHA512
525580edcb071f0379857c5d336d9017260420702fb7813202ade52796c32c009e7e5bdca46232286fc1d1323779ed4f79e78262e94b5ea17bd1b335a2c916a0

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.4MB

MD5
a19876a33023f0588dfc79d58231f086

SHA1
329ec6fb2b2a0bdba853550991853845585fb001

SHA256
2123b6436d8da2a4dea847cc422459ee0921a152426fb7126407785f0b9b5d1e

SHA512
20af98bc70506d776532c0acb428375f272fd99caee1ddf20e1bbdd1a35e8ec0e20a6e0369ce41c435934a03cdd8922210d8d37960434dd87f44796173540d9d

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.5MB

MD5
bad4ef2fc4c823e5cb3e837cf917a954

SHA1
df39110d0298e8c137384e104f87d79a0e3ac992

SHA256
3ea3868c969cb381167ce711438eab1cfb47e5a15efbcccd28f1fe52dd4d61dd

SHA512
7922dbd466a0aa27f6fda3f42a9098e2e12d869329e4a8a5a66b41b8764ba2fab913d8ee95754f26d27b131792226ad4a75625479b1054c28c14aab124402929

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.6MB

MD5
8eb90a9cede617a9e6e7c9756275929e

SHA1
8fd3974855bcda8e25c5377df16588f2742413a6

SHA256
486b6bf91b2769628efe9f6133006f7bdde9ef608a9bcf6d47808e2006cee247

SHA512
f1ac7c2c0633c1c33d90a59683560e4840ae0a45c01423000576039077004b5261121d8b54656a98c84cfbfcf9dbca4306b889734017de18dce00038ece4f79f

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.4MB

MD5
689164041e5e6c6c02215e5ddd4089d6

SHA1
a3d66f55da1baf2380f6046758bc5259649c96bc

SHA256
825090f542ee09d9d430350ffd2b57241e3f2808de07ba77797cdb2d5d1c40e9

SHA512
7605de7f3b3623e859e810d7f8af7eb42232c98a86c7cd97feadf1d3e2c03d1001fa32dd93f8858072d6d9e83d776a9b8ab25ac5e5322c397b98529691265385

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.9MB

MD5
9c2563b1f8417376c7fedad63cd68e48

SHA1
4c76a4e0ba423cce59624db130e048d1237d02ab

SHA256
699e4fcbaedffe33f8594888be94935a518f9cf369147fa456a5baab5c0c40c5

SHA512
2ac32dff1ea4417c165ecf376a7acce790ccb545f7da4ccb5ab6ba6eec9a60fa1c5874f81f87b13de00c85e4a640c394c579ab7a5304d3f9400f3be24b22241d

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.6MB

MD5
20bc2fa29efa6afe57ebf9c64d94d7e4

SHA1
fd7ca1531bf5265db91ba867e11eaa45f3ebe6c3

SHA256
036a86ae470386efe3798d716a8c5d7d2f73442c15294e27b34bb42486948dcb

SHA512
6f937825de7b7aae28078ad15c1501852bb167434fecd246764f7cc7648680dad3260b16d9c1487b019a6dd90e7e5eafc739b0d27cead677c4b8386f11f4d58b

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.4MB

MD5
639821884028fd20793177a35743f75a

SHA1
e71ac239ae12d30bdadd7f76189d3165a7646e81

SHA256
ae0a7151006f3e49151d9053e22a68b507b9a98f744734df2a7b1f504e647355

SHA512
b6989746e92c0b73a1c8c8634074a744c83ff55ebf34bc9216bf7357356117edf498a282792a682c70ab36d42093d7b8915a4c9bc8e369938bb927a655059155

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.1MB

MD5
2a34bc969289ec80c4664710374cf603

SHA1
a881a0d3442cb62c6b6031b90b98eff919ad109b

SHA256
ccb8be05ba6dbd080fa7464c1d5844df0dc4fcd4822f5d5625e717cd0b1f5477

SHA512
8d416c3bb01b264e0ca069599f8ec6e5e953f4b28fc8f1cdba229ef8ba12c8ef762020d1ba0b901605a8e000e0c0d12a85ddb7b72f931b495f47ff698ea62c63

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.4MB

MD5
04840e73af454ab65a5ac3ce06435141

SHA1
43c20d3a9e0833306a58b778b81fc8b0ae2d67b7

SHA256
14f6d4a11a65bc11ec9cf08a410428475e118f98f01d268b1a9c105408a343aa

SHA512
4f49816d4edaee44a975da5b19246f8af2627608e5321efb367ff7d9acab9e82ab83b65cf36ce6467a2848cdccf4efa6d3176b278fb5a72739b5996d4434196c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.5MB

MD5
b09ffc7b7314dbaefc2eb206795c6c78

SHA1
f9ffa628970485c4c54b4207f6ddd27a0fd07651

SHA256
d5340f80bcb6f388e88d3ccd7ff334d067d275a942659132c313a4e2734be498

SHA512
85de634c6e6ba9a0704c3dc9c1e686845d838a80fd67fb68b9b906c9c3e9da4b9e004ae48396aab03e24ed5a24d6000a9d708c4f2f1cce116e8ba59987ba271e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.9MB

MD5
7a74cf29a4b647d637cb57e45effb969

SHA1
78eae0d915a34d6fb787f91fd2e950f4f914c05a

SHA256
5dbdc6f86c5c4c27db0a165c3daa51d64dbb3b0d75a4ab82c1ccae2276eecf92

SHA512
1d10fbbd38fc036b27cc9502b2edd3f6524f5d0f240b1960f149c27e145c34e36d4701425563b4eddb0542a8b784d8fff6cc92151b13353d7b9dda6f738e5854

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
4.6MB

MD5
23529a86f59b9475bad0c13784c1bbd8

SHA1
07e6264011e9279d30c0559c82fa1ea5907808e8

SHA256
f1fa92bb80ab2387116719728dd4315c17f0c52ae5552860a25ce2c5264ff0c7

SHA512
463a031a5ef912e61ed98a2c592b96ba9784ee537e16620b0bc9332d4f249ebb97aca1fd829d85f318022335e665a3edd09cbf3d442e741e38be615b08169099

Download Submit