Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 18:03
Behavioral task
behavioral1
Sample
2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
-
Size
4.2MB
-
MD5
b780a62989d0d9586f840dbf73feec8f
-
SHA1
006ae248b7650e0052278018ce807d9482cbd503
-
SHA256
f9d6945c58fae73bb075a0ad28b81568f9309c72b39b9da81092438a8a31b09f
-
SHA512
e393a1f550ab5365898dd2715c590db0268e4a224dc9e046a6ab144903140a275fe976d7881cc95e983292ae021b6d94891cbfb231e975cd2c2e7ca94a6e2857
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q44:ieF+iIAEl1JPz212IhzL+Bzz3dw/VW
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 1 IoCs
resource yara_rule behavioral1/files/0x0003000000022a38-4.dat family_gofing -
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\afunix.sys 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gm.dls 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Documents\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Documents\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Saved Games\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Videos\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Videos\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\3D Objects\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Desktop\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Libraries\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Contacts\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Downloaded Program Files\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Desktop\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Music\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Pictures\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Searches\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\es-ES\svchost.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\ActionCenterCPL.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mfc120cht.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mspatcha.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\odpdx32.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\MSFT_FileDirectoryConfiguration.Schema.mof 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDUZB.DLL 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\LicensingDiagSpp.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Microsoft.Uev.Office2013CustomActions.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\cngcredui.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\sxs.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\DeviceDisplayStatusManager.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\hidphone.tsp.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDYCC.DLL 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\PortableDeviceApi.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\fr-FR\MSFT_GroupResource.strings.psd1 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\PlayToStatusProvider.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\appmgr.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ctfmon.exe 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\dtsh.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\pnrpnsp.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fi-FI\windows.ui.xaml.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\iexpress.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\msscntrs.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-10-ul-phn-rtm.xrm-ms 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\MSFT_NetNat.Types.ps1xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\cdosys.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\dsreg.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\telephon.cpl.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\ncpa.cpl.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\msauserext.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\occache.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDINHIN.DLL 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-shutdown-l1-1-0.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\mshtmler.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\mstask.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\MbaeApi.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\sndvol.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\AdmTmpl.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\UIRibbon.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mspaint.exe 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\FXSAPI.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbGlobalMapping.cdxml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\AdmTmpl.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\PresentationHost.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\es-ES\tasklist.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\user32.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\kbdlk41a.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\sqlwoa.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\es-ES\BitLocker.psd1 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_LocalPrinterPort.format.ps1xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerReference.xsd 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\davclnt.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\gpedit.msc 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\mmcbase.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WfHC.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de\AuthFWSnapIn.Resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\WsmRes.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\dpwsockx.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\eudcedit.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\at.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-125.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\View3DConfig.json 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64_altform-lightunplated.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\hu.pak 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-80_altform-unplated_contrast-white.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal_CustomCapability.sccd 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-200.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-high.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\ui-strings.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_es-419.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W4.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-125.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-white.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.0eee61ec.pri 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-lightunplated.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-80_altform-lightunplated.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Large.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-250.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\ui-strings.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-100.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140esn.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-lightunplated.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-400.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-200.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\plugin.js 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-250.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\sms_failure_illustration.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\CacheSize.txt 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\caspol.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Data.Entity.Build.Tasks.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Data.Entity.Build.Tasks.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regsql.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\aspnet_regsql.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PLA\Reports\es-ES\Report.System.Summary.xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\marlett.ttf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\.NET Memory Cache 4.0\netmemorycache.h 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Configuration.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit.resources\v4.0_10.0.0.0_it_31bf3856ad364e35\napinit.Resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\it-IT\ICM.adml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\CloudContent.adml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Provisioning\Packages\Power.Settings.Graphics.ppkg 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\coue1257.fon 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.fr.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Data.Services.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\AddInUtil.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\c_cdrom.inf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1031\vbc7ui.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.tlb 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\it\Microsoft.Data.Entity.Build.Tasks.Resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ImmersiveControlPanel\images\logo.contrast-white_scale-125.png 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Microsoft.Build.Tasks.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Windows.Forms.DataVisualization.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Drawing.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\PeerToPeerCaching.adml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.DirectoryServices.Protocols.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\JSC.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\sensorsservicedriver.inf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.it.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home2.aspx.ja.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\cscui.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.WebHeaderCollection.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Data.Entity.Build.Tasks.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Microsoft.Data.Entity.Build.Tasks.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.es.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.fr.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Data.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\cscompui.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.de.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Resources.Writer.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Data.Entity.Design.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\de-DE\CredUI.adml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\iaLPSS2i_I2C_BXT_P.inf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\webtv.browser 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.resources\v4.0_10.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\WinLogon.adml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\8514syst.fon 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\mscorrc.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe.config 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Web.Extensions.resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr-FR\Microsoft.Windows.ApplicationServer.Applications.dll.mui 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PLA\Rules\ja-JP\Rules.System.Summary.xml 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Panther\cbs.log 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\c_cashdrawer.inf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\mdmzyxlg.inf 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.es.resx 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Drawing.Resources.dll 2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_b780a62989d0d9586f840dbf73feec8f_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD520c4c388b0898e3321ecd2c9c3dd262c
SHA199cffa395bf30aee82c8a31df0104b345e7aaa27
SHA256d57be4358d1d4ad65dc0c72f9a5d35389c3684a10d82218264cf274879cb992f
SHA512d54ff8181cc1410f56d1dd7955ae2b5c5a09175e32eb6e69ab2e9f44afb0319239f011b34ca351601db444ddd7a334a22a20e1495c6817d1b74eeefd76e42045