Analysis Overview
SHA256
c4a65a85a3a3980a1d2c4315b9e71d4fb8ee38e52bf1e444b02433304e0bf802
Threat Level: Known bad
The file 2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.
Malicious Activity Summary
Gofing family
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Drops Chrome extension
Drops desktop.ini file(s)
Drops file in System32 directory
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Browser Information Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-03 15:17
Signatures
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-03 15:17
Reported
2025-05-03 15:19
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
115s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Drops desktop.ini file(s)
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.184.195:80 | c.pki.goog | tcp |
Files
C:\Program Files\7-Zip\7-zip32.dll
| MD5 | 4bf483f28d22c3a849c6e18431d6a83c |
| SHA1 | 4f77674b6a337e2f98913bed6045c6ab1f18dbc3 |
| SHA256 | c58a6175c32a17574340551d508c4cfe7df3e6d58693890ad2562f26d4f1a618 |
| SHA512 | 85c07bb4d424b3112b9f409ebe985dd037309e20663c5aa71f78812fab9a97dbaf34ca948351130e120325bf0efbeaf5a10ca1b97d26eb4ebac2c2bf6f6458ab |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
| MD5 | debe09b8490ee7d9fd7bac108b8c7ff4 |
| SHA1 | 483f1d8de2aee598f2e39ad40e578873fe705405 |
| SHA256 | 91beb91b5355342ceb6ea6641225cba670c98e0c67c7d586c307757ed79a4f5a |
| SHA512 | 7b39291e5b1204ebf1ce06c159a547bb45ead67c00f9266c4fdacfc740a21f5623ac3f32d3f7a75ec6022923c97e75d5dd9cc93b3e08a3e29bf200dfd746c02d |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-03 15:17
Reported
2025-05-03 15:19
Platform
win11-20250502-en
Max time kernel
150s
Max time network
109s
Command Line
Signatures
Gofing
Gofing family
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Drops desktop.ini file(s)
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2021.427.1821.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-32_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\WeeklyDayPicker.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherSplashScreen.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Selection.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\System.Windows.Forms.Design.resources.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\EdgeLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\initializeFocusRects.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-150.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\ffmpeg.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpWideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-80_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\am_get.svg | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\d3dcompiler_47.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpWideTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SnipSketchLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailFirstRunLogo.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_it.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\bs.pak | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\xboxservices.config | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-40_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\keyboard.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\bun.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare50x50Logo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardTitle.base.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardLogo.types.js | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\PackageManagementDscUtilities.strings.psd1 | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Edge.dat | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe | N/A |
Drops file in Windows directory
Browser Information Discovery
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-03_d45f2d54c7deef223cec2c0029b5662c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
Network
Files
C:\Program Files\7-Zip\7z.dll
| MD5 | c3c39983417d583bbf169dc8134dbdef |
| SHA1 | 7fa7143a7cec38f00ac9f599cc87f171e98b009f |
| SHA256 | e76ad3df97071ff2f97a62d5a9410a2f0be2bfb03709528943d16ad71116894a |
| SHA512 | fe424a8c31de54b222044eec4d67606dbfda7ef5ae2f8a4fcc7241cefd3b5018aa22943e98f835edaa29764a10aad13319a3345d75c5ab2789ac6ad7025d1a41 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
| MD5 | 82f2f8338a74d1caba8db95ac561b11f |
| SHA1 | 3ddedd769312f9098932b1dd43f899de3c774a5a |
| SHA256 | 50a00cf6073c6f7ee5ba3d04c46da9c7b1f5cd7550e1cbc9bc69d5d7beae988f |
| SHA512 | b83651abb5a624a77ce46c5174ad6e9fd3bbcd80a21b2ff49961d553730a4e8d4dc8aecc7cd8c30c737bbfe9e0338e0031baf0ef5ed2bc3fd17b4fcc85508b66 |