Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 20:56
Behavioral task
behavioral1
Sample
2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
-
Size
4.5MB
-
MD5
62ffd2d038a93df17e8621e8356497b9
-
SHA1
2964e013a031c8395d887a59637db5fd09f8c18d
-
SHA256
c0b58726a6b23f3cc7f5a809228944feb89fbda213fe34cc2eb22621cfe6b3b1
-
SHA512
e66b7a5110c9a4c8773e53ecac61dea9ddff1e26d68c5d20e42852786e5ba2a0eeed560d43a483e5ac9caa20e0574dc35eaaeba0b9f32fcdf4b5154b729a337c
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4T:ieF+iIAEl1JPz212IhzL+Bzz3dw/V9
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs
resource yara_rule behavioral2/files/0x0003000000022a7d-4.dat family_gofing -
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\afunix.sys 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gm.dls 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Manipulates Digital Signatures 3 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wintrust.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Contacts\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Documents\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Downloads\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\AccountPictures\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Searches\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Desktop\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Libraries\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Saved Games\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Videos\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Pictures\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetDnsTransitionConfiguration.cdxml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\es-ES\PrintManagementProvider.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_firmware.inf_amd64_36e4e17f210128ab\c_firmware.inf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\usbxhci.inf_amd64_6e228bfaadb050c6\USBXHCI.SYS 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\en-US\avc.inf_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\Microsoft.Uev.ManagedEventLogging.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\de-DE\neth.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\MixedRealityRuntime.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\cmifw.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\neth.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-Common-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\WFDSConMgr.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\AuthBroker.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\F12\DiagnosticsTap.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\cngprovider.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\de-DE\UpdatePolicy.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\da-DK\comctl32.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\hgcpl.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\jsproxy.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-PowerShell-Module-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\LanguageFeatures-TextInput-ja-jp-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\fr-FR\mlx4_bus.inf_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\F12\uk-UA\F12Script.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\crypt32.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsDolby-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DscCoreConfProv.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\DeviceCenter.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\wmitomi.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\Winrs.exe.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\SyncController.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\wevtfwd.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\ja-JP\netttcim.mfl 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeamMember.cdxml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\aepic.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\NcdProp.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Provisioning\provpackageapi.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\cmdial32.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psm1 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\ieui.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\shellstyle.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\sfc.exe 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRVUI.DLL 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\es-ES\UcmUcsiAcpiClient.inf_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\es-ES\msux64w10.INF_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\es-ES\nulhprs8.inf_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\it-IT\ts_wpdmtp.inf_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterLso.Format.ps1xml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\dhcpcore.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\AdmTmpl.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mfc140rus.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\srm.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\ARP.EXE 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\lipeula.rtf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\services.msc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\fr-FR\bthprint.inf_loc 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\ja-JP\MSFT_ScriptResource.schema.mfl 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W0.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\MyOffice.RuntimeComponents.winmd 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ca.pak 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-200.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\setup.exe 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-100.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-200.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\hxcommintl.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36_altform-unplated.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-200.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps\external_extensions.json 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-unplated.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\DefaultProfileImage.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.dll.sig 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_game_assist\VERSION 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt_get.svg 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\bg.pak 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svg 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-150.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-200.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\BlogThumbnail.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32_altform-unplated_contrast-white.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Candaral.ttf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\MSBuild.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.it.resx 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.ComponentModel.DataAnnotations.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Xml\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Xml.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech_OneCore\Engines\TTS\es-ES\M3082Ana.APM 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\mdmtdkj6.inf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\System.Runtime.Serialization.Formatters.Soap.Resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe.config 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.ServiceModel.Routing.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.WebRequest.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.Net.Http.WebRequest.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\DiskQuota.admx 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Boot\PCAT\bg-BG\bootmgr.exe.mui 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Boot\PCAT\bootuwf.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\uk-UA\emoji_bg_c.lm2 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Configuration.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\es\SqlPersistenceProviderSchema.sql 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Activities.Presentation.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Data.Services.Design.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\vhdmp.PNF 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.de.resx 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe.config 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\v4.0_2.0.0.0_ja_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\System.Management.Automation.Resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Principal\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Principal.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.ApplicationServices.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\calibri.ttf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\mdmgl010.inf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\it-IT\NetworkConnections.adml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\NUSData\M1041Sayaka.voiceAssistant.WIH 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7fr.acl 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\displayoverride.inf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Configuration.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech_OneCore\Engines\TTS\es-ES\M3082Pablo.APM 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\arcsas.inf 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\c_swdevice.PNF 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\IdentityCRL\INT\wlidsvcconfig.xml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\symbol.txt2 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.SecureBoot.Commands.Resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\WindowsRemoteManagement.adml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\it-IT\P2P-pnrp.adml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ServiceModel.Discovery.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.InteropServices.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\FREESCPT.TTF 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallProfile.SQL 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\de\ServiceModel35.mfl.uninstall 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.es.resx 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\SMSvcHost.resources.dll 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PLA\Reports\de-DE\Report.System.Memory.xml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\WorkplaceJoin.adml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\es-ES\CredUI.adml 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Boot\EFI\winsipolicy.p7b 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\app850.fon 2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_62ffd2d038a93df17e8621e8356497b9_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5403733320949ab05af72f5190cd5248c
SHA1daac1aaa4787048250bb8e3f606d9d6264bcaac2
SHA256536863ebc3be955021f32f9ff9d69debd0232fda05adb0dcaa0d735b978359b7
SHA512bdaaf469af31612731df3e6dea627dce9958bbb19d9cc9ebcd14645cb29703a0cb4052d253085de7b42365bf60aa00f457b91530de7fc20e30fbaae9cf4a4cdd