Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 19:03
Behavioral task
behavioral1
Sample
2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
-
Size
4.2MB
-
MD5
8361fe24e0593d9a1415be1643477c9c
-
SHA1
17bdf489a579251a25c6fd3a8a7627088ba36633
-
SHA256
f82516763abff108242f5bfd4c65fa75f8977553a05e339ae992a2dab96a2a6e
-
SHA512
cd550c959030547911d964f392f483b58a3f98efe33a9a306cf95f82d7a9a0c0441266d1ba3321fee4de044cb4c169bd93352df5a2a2ce1462dff9b37317f820
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4k:ieF+iIAEl1JPz212IhzL+Bzz3dw/VK
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs
resource yara_rule behavioral2/files/0x0003000000022a47-4.dat family_gofing -
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gm.dls 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\afunix.sys 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wintrust.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Videos\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Favorites\Links\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\AccountPictures\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Music\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Videos\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\$Recycle.Bin\S-1-5-21-446031748-3036493239-2009529691-1000\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Desktop\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Documents\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Libraries\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Offline Web Pages\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Favorites\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Music\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Links\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Searches\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Downloaded Program Files\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\ApiSetHost.AppExecutionAlias.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-UtilityVM-Containers-Shared-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDVNTC.DLL 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-EmbeddedExp-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\wlgpclnt.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\packager.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\LaunchWinApp.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\dnsapi.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\LocationFrameworkInternalPS.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\MSOpusDecoder.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\advpack.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\msports.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0010~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Hyphenation-Dictionaries-it-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\c_fsencryption.inf 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\MSFT_RegistryResource.schema.mfl 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\LockAppBroker.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\windows.applicationmodel.conversationalagent.internal.proxystub.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-OptGroup-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-LPDPrintService-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\ieunatt.exe.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Display.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\PortableDeviceConnectApi.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IsolatedVM-SVC-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\uk-UA\MSFT_FileDirectoryConfiguration.Schema.mfl 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Windows.UI.Input.Inking.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCachePrimaryPublicationCacheFile.cdxml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\cttunesvr.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\srcore.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmTpm-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-RemoteFX-clientVM-RemoteFXWDDMDriver-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fssystem.inf_amd64_89e15d7e662d6584\c_fssystem.inf 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Dism\es-ES\WimProvider.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\TtlsExt.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\cs-CZ\APHostRes.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\fixmapi.exe.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\msoert2.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ieui.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\taskschd.msc 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDHELA2.DLL 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}16393.bin 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\migration\es-ES\SxsMigPlugin.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\vsstrace.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-KMCL-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecConfig-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\dsregtask.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\rastls.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\ja-JP\schedprov.mfl 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DfsShlEx.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-100.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-lightunplated.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-white.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\networkmanifest.xml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140cht.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-100.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-100.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-lightunplated.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-white.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_altform-unplated_contrast-black.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-125.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_move_18.svg 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\close.svg 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-colorize.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\BlurredGradientBackground.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevation_service.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\vi.pak 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Entities 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-400.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-400.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-100.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-200.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.dll.sig 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_lt.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-200.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-80.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle.cur 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedgewebview2.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-white.png 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Web.Entity.Design.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\it-IT\.config 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\goAmerica.browser 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\Search.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Cursors\aero_helpsel.cur 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\normnfkd.nlp 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Primitives.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\InstallUtil.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IIEHost.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe.config 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\de-DE\RemoteAssistance.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\WindowsConnectNow.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\MDM.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\M1041Ichiro.INI 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\vga936.fon 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\de-DE\.config 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\uicciso.inf 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.Mobile.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.ja.resx 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\AppSetting.ascx 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\vgasys.fon 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Help\mui\0407\odbcjet.chm 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr-FR\ServiceModelInstallRC.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de-DE\ServiceModelInstallRC.dll.mui 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Activities.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\aspnet.mfl 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.AeroLite\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.AeroLite.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7uk.dub 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.ServiceProcess.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Workflow.ServiceCore.Resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\es-ES\NCSI.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\ErrorReporting.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\fr\Microsoft.VisualBasic.Compatibility.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\caspol.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.ja.resx 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Uev.ManagedAgentWmi\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Uev.ManagedAgentWmi.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\es-ES\WindowsRemoteManagement.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.it.resx 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.ja.resx 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\ShFusRes.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Linq.Expressions.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Runtime.DurableInstancing.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\Search.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\System.Windows.Input.Manipulations.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Activities.Build.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\Microsoft.Activities.Build.resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.Vectors\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Numerics.Vectors.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\MDM.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\GameDVR.adml 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE} 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\Default.browser 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ReachFramework.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CLR.mof 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Messaging.Resources.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationCFFRasterizer.dll 2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_8361fe24e0593d9a1415be1643477c9c_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5d73d6111cb597f5d879113e4a34b13b7
SHA16eb57bf8c28ee70487e12488338f7d7d6baa0ff6
SHA2566dafc519093310608d7d66aa2d4acc3fc53a0f7262d906348833baa3ea3fc1ea
SHA51266bf6ddc97ac73493184c41838cf38af13100015759006d441cc763f59a607fff63014938a58a50a397eb19abdbc3c022eefec675fcb014ed688b71592922c12