gofing | 66e7b1ec39e7e5108495046e828f292f32c0cabd6bde2a82ffd7e7bfeaea0195

Analysis

max time kernel
124s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

5.3MB
MD5

b30f365f08255e2128297748c80b168f
SHA1

fea92c5955ba118c3daf56c1a946e75e5238a350
SHA256

66e7b1ec39e7e5108495046e828f292f32c0cabd6bde2a82ffd7e7bfeaea0195
SHA512

701c45ecedc0972e98ebb66b2d5fa05c90e33dfb34a3d25d4cca5bfabd92c91a173ae3af4e9ae6659da3bba4cede671a758658313a7a0948dd2981e59cae48f9
SSDEEP

98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VQrWItDuB/sEXM:pWvSDzaxztQViWItDuBM

Score

10^/10

gofing credential_access discovery ransomware spyware stealer

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000010343-4.dat	family_gofing
behavioral1/files/0x00020000000108a1-6478.dat	family_gofing

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\gm.dls	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\wimmount.sys	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Manipulates Digital Signatures 3 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\wintrust.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Loads dropped DLL 9 IoCs

pid	Process
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found
1236	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Public\Music\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Videos\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Searches\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Sonata\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Raga\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OM66BHWE\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Music\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Downloads\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Cityscape\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Links\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YPLB435F\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4DY23DRT\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Pictures\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Downloaded Program Files\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Videos\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U8F4PBMO\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T072YXIW\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Delta\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Landscape\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Characters\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Quirky\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\R627XHFP\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\de-DE\Magnification.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\es-ES\printui.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRM867DN.GPD	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHJ11N03.GPD	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\de-DE\bootres.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\de-DE\fdprint.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\acpipmi.PNF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\KBDBR.DLL	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\en-US\EventCreate.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\netb57va.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\prnlx00y.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\de-DE\netl260a.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prngt003.cat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\en-US\oleres.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\en-US\brmfcsto.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_remote.help.txt	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\powershell_ise.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_properties.help.txt	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\httpapi.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\zh-CN\mlang.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS4000B6.GPD	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\fr-FR\mpio.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\ja-JP\prnrc002.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\da-DK\fms.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\de-DE\ntprint.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\fr-FR\vsstrace.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\it-IT\msmpeg2enc.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\ja-JP\EhStorAPI.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\kbdgeoqw.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\wbem\tspkg.mof	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\en-US\win32spl.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\prnep002.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\Amd64\OK905V_5.PPD	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\en-US\wiaca00b.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\ja-JP\wialx006.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Network_LLU.log	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\de-DE\rrinstaller.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\fr-FR\certreq.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\bridgeunattend.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2639308_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\ja-JP\nshwfp.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00g.inf_amd64_neutral_2926840e245f88f6\prnep00G.cat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS2171E3.PPD	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\en-US\prnle004.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\de-DE\thumbcache.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Dism\ja-JP\MsiProvider.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\MediaMetadataHandler.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_neutral_c67606b3f53ae4d4\tsusbhub.sys	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.cat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\es-ES\setx.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\it-IT\dnscmmc.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\Dism\ja-JP\CompatProvider.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBPC4_1.DLL	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\es-ES\hdaudbus.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\fr-FR\netvg62a.inf_loc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\de-DE\pathping.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\Amd64\LXE260.GPD	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\SCardDlg.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\pt-BR\DWrite.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\PREVIEW.GIF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\PurblePlace.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00177_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105298.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107468.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.dub	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Media\recycle.wav	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Security.Cryptography.Primitives.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Culture.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1036\SetupResources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Overlapped\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Overlapped.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Reports\en-US\Report.System.Memory.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Characters\Windows Feed Discovered.wav	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Delta\Windows Information Bar.wav	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sysglobl.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\NETFXRepair.1044.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\COM.admx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Help\Windows\en-US\Windows_AssetId.H1K	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe.config	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Data.Entity.Build.Tasks.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\SystemRestore.adml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\vgaf1256.fon	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\shfusion.chm	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.tlb	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\system.Resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ja\Microsoft.Transactions.Bridge.Resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Link\GB-1.url	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\rtscom.dll.99741D6B_FCC2_4B3D_83AB_413A37786D04	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Calligraphy\Windows Battery Low.wav	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.XPath.XDocument.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Workflow.Targets	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Help\Windows\de-DE\langreg.h1s	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\ProviderList.ascx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\LSANSD.TTF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.fr.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.JScript.Resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\en-US\SharedFolders.adml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Help\Windows\fr-FR\recycle.h1s	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\es-ES\WDI.adml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Help\mui\0410\rsop.CHM	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.it.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.fr.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\ServiceModelInstallRC.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\ServiceModelReg.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.SqlXml.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\BOD_R.TTF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\cscompui.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\en-US\UserDataBackup.adml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\de-DE\shellstyle.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\LBRITE.TTF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Help\Windows\es-ES\artcon5.h1s	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Landscape\Windows Logoff Sound.wav	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.rsp	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_rc.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Print.ico	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

C:\Users\Admin\AppData\Local\Temp\2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll

Filesize
5.3MB

MD5
67f3a5227cd4bd1a9be10f83aad155fd

SHA1
3adadbe9c4020ffdc020ac18979d5abf16b7da2e

SHA256
03ff5ee0ec3786af623daadee4e659ec8265bc279380b6f2e8df698c884e046e

SHA512
d7509f5b81853b390553a8ea1cf7549ab7b4c72a2fb1812f931c8bcc391c2464bf95d0b0aa2e329cd57a2f022ef989fa15d68ba466e04d1f3946fc572cfd0546

Download Submit
\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll

Filesize
5.3MB

MD5
8243e9d9de9a3fd58f5d453fa760787f

SHA1
56a4310754518b3cdd3055b9bcb1fcf070e8bc21

SHA256
5867428d1721db822d3c5559d652031a4768f3dc13d52855f10afe7563f9a4fc

SHA512
bf881377949367b61d4a16683a61338e022466b9148def3996ba35b2926f3e22c71d5badc9ca00de3b97bdf8e72cb3bf5368cde34fe028eeca1c9500721b55fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads