Analysis
-
max time kernel
86s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 07:54
Behavioral task
behavioral1
Sample
2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Resource
win11-20250502-en
General
-
Target
2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
-
Size
4.1MB
-
MD5
f6e9a38590df744d7c6dd4e69c357acd
-
SHA1
344566d5a0ee9dcd6afe9706e50c4d600aa11727
-
SHA256
2b1980613cda2c73b223c47750879d1c35f0a4cdb95311be6e923834bcec2106
-
SHA512
97f44b2f7d8181811e4f0419e4e97b8ce0ce5a60170873490e142b0c393b6e5b2cc17c043e858608c5cd50f036132d26c22d59f69c736dd85719ea12e46b5611
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q49:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vj
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs
resource yara_rule behavioral1/files/0x0003000000022a64-4.dat family_gofing -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\desktop.ini 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hr-HR\View3d\3DViewerProductDescription-universal.xml 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-100.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-100.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-16_altform-lightunplated.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-high.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-125.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsFormsIntegration.resources.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\styles.css 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-lightunplated.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.ico 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-100.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\ui-strings.js 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main-selector.css 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.DiaSymReader.Native.amd64.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-200.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-125.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\vk_swiftshader_icd.json.DATA 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.dll 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-200.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\Mixer_logo_DarkBlue_RGB.png 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\he.pak.DATA 2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f6e9a38590df744d7c6dd4e69c357acd_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4444
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3600
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1232
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5e395c2de6d5edf0c9915d8da3044f523
SHA1947c7cf6d0579f15b09490a117f5e240bbf8a50b
SHA256c43fd23d990571cac175db0637f4fae91c5700491c7311ea1393492dae06751a
SHA5125be216937cd6f1d7822e9fbceeb89f194977afb4ce903b1d801910c70cd6da0eb42ca13e86d4d0d184d7380b412f1a1948889b0ab7c4d49a339a2d49ea702e7e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml
Filesize97B
MD5072d508c8a0d2689525f2eea4dce6ff9
SHA10db1ed4dab098837a2fb4cd59f8a482f295d4e23
SHA2567d512f9f27854c85bd52bf5e038329366a7fb545752e7b846061a9854efd1b8f
SHA512c68e44da7cbe5992c874c9bd876ecfb934728fe971cd5d6021c3303fbbabe976ec53d09a454a359341a2fb9f6f921edc7885a5bc59f8d8edcc70c1389d97b9a4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres
Filesize2KB
MD5031a1d1d0d75e1a0018b9e2c7c80d609
SHA19edfae47b2b1b7c75fe5914ab0f8f3e241a58e6a
SHA25621b39aab0df5acc1484798308042151496ebaa266a9d2baf1975502275628c8a
SHA51209b04fa89e79df4c65ca68956ed8d4727d7bd0a1fb07fea2b20c10f2ec6bd29a3e3aedda0ef5a23ae327ef17725b30b2713cbf62fd0f8b60e15a7a7052820735
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133917693859259173.txt
Filesize14KB
MD5b9a3570135c6cdac61e23a655424bb81
SHA1b25c823b867b820fa34e0d61892c99af1b3db241
SHA256e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6
SHA51273f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
Filesize287KB
MD508fd76fcc814c28dfd328c2ae9bec105
SHA10cfc99361ff187489d4e4d1873c32d92886d1d53
SHA256e1cda8074d742600eb80a4da0c94186de5aede64ba89e3ee748ebde4f0eb4806
SHA512bf840a06050badb35ea4e81bbd2d7665785717524033f9c8b093d5cfc690fcd473824e53fdf292314381271886d06e14a3d5ce44db2479e84cb7dd75bd5204d8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize12KB
MD5585d59e56728fdeb3389e4fb7cd6bc3b
SHA1bb169c6ec156a09bb60dc354958cd6cb3dd46090
SHA256b16aa654cb4f6d1111954f861e1c2ff9ff2e97a4f5e9bed6ff3ae4cf9c1ac828
SHA512212de690d347865bfbd5aebcae465b6eac5187013a9fe0b07e0275bf58e6f25d29b981c20a06ed894c2d3203090f51250e414b4b4dde7ede1f523670c3822665
-
Filesize
694KB
MD58ba77f00099edec326563d0f456dfee8
SHA1ba094a8fd9284be093a3970bf77f7f31b76f23d6
SHA25698e907e4ea98a4a094b075bac860f2f9be2ef1e6a832ff62a006ac451849f3f7
SHA512bf89aecca85b410011844cc2f1cd20d5afe01eab54e80c23ecff0c27977411a71cf3da7540888bd6d6e621e6fb04e397490a1f76ae25a8f16f6b12bcc81de20e
-
Filesize
829KB
MD5a207e1444147aa44ce159d1d3bf225f7
SHA1381e5f421ef3de109acd7e70a391622f6602c5a9
SHA2560dbf5b430983c09aa2f6b964808e4217608489f480aec6a1819a25d50994b474
SHA51230a1b8810648f42163f3dd07bc971f33946266d70f2816a32b6dc24fe4bce0414dbe809405d78a6d212e106ca5cb31e8f94e0e9911f909dbf45af595c63fb4a5