gofing | 66e7b1ec39e7e5108495046e828f292f32c0cabd6bde2a82ffd7e7bfeaea0195

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

5.3MB
MD5

b30f365f08255e2128297748c80b168f
SHA1

fea92c5955ba118c3daf56c1a946e75e5238a350
SHA256

66e7b1ec39e7e5108495046e828f292f32c0cabd6bde2a82ffd7e7bfeaea0195
SHA512

701c45ecedc0972e98ebb66b2d5fa05c90e33dfb34a3d25d4cca5bfabd92c91a173ae3af4e9ae6659da3bba4cede671a758658313a7a0948dd2981e59cae48f9
SSDEEP

98304:ieF+iIAEl1JPz212IhzL+Bzz3dw/VQrWItDuB/sEXM:pWvSDzaxztQViWItDuBM

Score

10^/10

gofing credential_access discovery ransomware spyware stealer

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022a49-4.dat	family_gofing
behavioral2/files/0x0002000000021ebf-5423.dat	family_gofing
behavioral2/files/0x0002000000021e89-5433.dat	family_gofing

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Loads dropped DLL 36 IoCs

pid	Process
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Videos\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Pictures\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Desktop\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Favorites\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Downloaded Program Files\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Offline Web Pages\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Music\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Searches\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Links\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Contacts\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Documents\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Downloads\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Music\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Documents\desktop.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-100.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-125_contrast-black.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Microsoft.IoT.Cortana.winmd	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\am.pak	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-200.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_contrast-black.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-100.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\MedTile.scale-100_contrast-white.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Internet Explorer\sqmapi.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\EdgeUpdate.dat	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140ita.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-125_contrast-black.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-125.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-white.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-100.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adc_logo.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-lightunplated.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Boot\EFI\zh-TW\memtest.efi.mui	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Cursors\help_rl.cur	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\_ServiceModelServicePerfCounters_D.ini	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mausbhost.PNF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-200.png	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0411\mscorsecr.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1031\CvtResUI.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\bopomofo.nlp	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\UIAutomationClientsideProviders.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.fr.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Rules\fr-FR\Rules.System.Wireless.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Reports\fr-FR\Report.System.Memory.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Rules\de-DE\Rules.System.Common.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\firefox.browser	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\tahoma.ttf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\wvmgid.PNF	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DataMatrix.pmp	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Activities.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\serf1257.fon	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\L2Schemas\WWAN_profile_v3.xsd	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Windows Shutdown.wav	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Reports\es-ES\Report.System.NetDiagFramework.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\en-US\RacWmiProv.adml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\cga80852.fon	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\c_biometric.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mdmgl010.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mdmomrn3.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\tsusbhub.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Globalization.Calendars.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\nvraid.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\alinkui.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\Microsoft.Workflow.Compiler.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\GlobalSerif.CompositeFont	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Data.Linq.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallCommon.sql	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sysglobl.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\Radar.admx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\de-DE\WirelessDisplay.adml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\msdv.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.de.resx	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\MSBuild.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Panther\UnattendGC\setupact.log	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Speech\Engines\Lexicon\ja-JP\lsr1041.lxa	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mdmmotou.inf	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Installer\38c6.msi	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.ServiceModel.Channels.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Web.Entity.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Client.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Web.DataVisualization.resources.dll	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PLA\Reports\en-US\Report.System.Disk.xml	2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

C:\Users\Admin\AppData\Local\Temp\2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_b30f365f08255e2128297748c80b168f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
4.2MB

MD5
b2b20063e871389db3463549efd8b5ac

SHA1
f23419d99a5b4ba6feb0aa079368af2cfce2a719

SHA256
68912a18f09ff4c9b0c5ec47d4e07557b2a17a9103645dcaf99915eb53380d8e

SHA512
9f9da4567ff68efe85ce8da6953d2792859f52891a2f3cc9527bdaa3182d5a6694463cec26f509f360189bc3feded66985d43ac0e1d5639ba05c4204a683e0f1

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
4.4MB

MD5
3d1df67b20a4ad71cbe6b5bf02d363f5

SHA1
5148c758a5e4562b93b9193c743ad91becc391ea

SHA256
0cbd30a743fb1d4390e78d34da144b4d486204311d35e438999c146cba7cf7b7

SHA512
878067ba6864cedec9fd2e08819c6de9706182e21545375eaae5c4f5955a03e104a99936dff502442dc8137a3b8007b765bc1a5797c0965d7c8493a7621e501c

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
15773e10fb485904dc548d0d57106e68

SHA1
3bad28e49759f35cc9fc26e286947beaa91e7631

SHA256
1a5476b26f90da448896611397a9caff00e1a06297f5211b00705ba3e50f69e0

SHA512
7ebb0a39723ed491b4881564bff3aa3e0f9d738d3ec4fe276da5157dc0e19c1da324fa908fb21114b94950e052d7cabfbc43ee224f35474ce108cfdd09b37eac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads