Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 18:02
Behavioral task
behavioral1
Sample
2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
-
Size
4.1MB
-
MD5
b56ea68d6f5d8c222857634052c9fb29
-
SHA1
e25bfd5c5464438c3f47da2659f64dec4e8e46f6
-
SHA256
fba282e4a8343f58b2a9b130c081624a561540f4f24aa06f58cf4246c0d22802
-
SHA512
f645018aba00afa7c89c214a5f851acce11777c643726d483f349743c160f5eb7c4fe50b4ee9c04c5ef907c2ce271292969caf4248b42ad18845cf515f3e5e63
-
SSDEEP
49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4E:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vi
Malware Config
Signatures
-
Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
-
Gofing family
-
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 2 IoCs
resource yara_rule behavioral1/files/0x0003000000022a47-4.dat family_gofing behavioral1/files/0x00020000000219a2-5541.dat family_gofing -
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\afunix.sys 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\gm.dls 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wintrust.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Loads dropped DLL 60 IoCs
pid Process 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Music\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Searches\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Documents\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Videos\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Downloads\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Documents\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Saved Games\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\AccountPictures\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\3D Objects\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Music\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Videos\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Offline Web Pages\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Contacts\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\Links\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Libraries\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\Pictures\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Public\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-HypervisorPlatform-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\iertutil.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\mciqtz32.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\de-DE\e2xw10x64.inf_loc 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\DeviceUxRes.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\iologmsg.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\it-IT\schedsvc.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnis1u.inf_amd64_64035dd8a7571ba7\mdmnis1u.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\it-IT\MSFT_WaitForSome.schema.mfl 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\powershell.exe.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\sv-SE\windows.ui.xaml.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_10.bin 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\DevicePairing.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCHPS.DLL 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-ShellLauncher-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\EapTeapExt.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\es-ES\mstscax.mfl 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\Dism\it-IT\ImagingProvider.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppvClientComConsumer.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\fr-FR\RpcNs4.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\sxs.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\C_863.NLS 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MultiPoint-Connector-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\hidcfu.inf_amd64_409fe85a7af72672\hidcfu.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\lan7800-x64-n650f.sys 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\sr-Latn-RS\quickassist.exe.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\breecemc.sys 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\SystemSupportInfo.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\CloudNotifications.exe.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Keywords\ti_dnn_fr.table 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\rtutils.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wscadminui.exe 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_cc4dba2066ccf53c\disk.sys 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\KBDUK.DLL 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetConnection\MSFT_NetConnectionProfile.format.ps1xml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\d3d8.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\dfrgui.exe 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingCommon-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.19041.264.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-LPDPrintService-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WCOSHeadless-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\ja-JP\eudcedit.exe.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\tpmcompc.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\en-US\PSModuleDiscoveryProvider.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-SPP-VirtualDevice-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\FamilySafetyExt.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\wbem\fr-FR\wscenter.mfl 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-WCF-OC-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\Com\de-DE\MigRegDB.exe.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Dism\de-DE\GenericProvider.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\Windows.Devices.SmartCards.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\SysWOW64\de-DE\telephon.cpl.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\System32\AppVPublishing.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\msasxpress.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-125.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Slider_Click_Sound.wma 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\RenameResize.wvx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-100.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_fr.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\it.pak 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Trust Protection Lists\Mu\Social 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-100_contrast-black.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\ui-strings.js 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\Office16\SLERROR.XML 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\6px.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker22.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\7-Zip\Lang\th.txt 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxManifest.xml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_add_tool.mp4 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.Tests.ps1 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\LogoCanary.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fr.pak 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\lv.pak 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Java\jre-1.8\bin\sunec.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxComm.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\refresh_16x16x32.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\32.jpg 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\mip_protection_sdk.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_nb.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Runtime.DurableInstancing.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Appx.PackageManager.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Appx.psd1 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\EnhancedStorage.admx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\iSCSI.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\GlobalMonospace.CompositeFont 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\ega40woa.fon 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Media\Speech On.wav 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Configuration.Install.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\alinkui.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Accessibility.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\aspnet_regbrowsers.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ICU\metaZones.res 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Installer\9ef8.msp 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Configuration.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.h 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\CredSsp.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.ServiceProcess.Resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\EarlyLaunchAM.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Cursors\move_rl.cur 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Fonts\micross.ttf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7uk.lex 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\bthprint.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\eaphost.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\mdmar1.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\3082\CvtResUI.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Numerics.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\ks.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Security.Principal.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ThirdPartyNotices.txt 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Configuration.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\COM.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\ja-JP\StartMenu.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\uefi.PNF 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\webAdminNoButtonRow.master 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\system.data.sqlxml.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\fr-FR\Kerberos.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\WindowsTrustedRTProxy.PNF 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.resx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardInit.ascx.resx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\ServiceModelEvents.dll.mui 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\TaskScheduler.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\it-IT\LanmanWorkstation.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\microsoft_bluetooth_hfp_hf.inf 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QRCode.pmp 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\webAdmin.master 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.ja.resx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ja\System.Windows.Presentation.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\AddInUtil.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\EventLogging.admx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\PolicyDefinitions\en-US\DeviceSetup.adml 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Speech_OneCore\Engines\TTS\it-IT\NUSData\M1040ElsaV2.voiceAssistant.wih 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.resx 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe.config 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.Timer.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Configuration.Install.resources.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\System.ServiceModel.Install.dll 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\_ServiceModelEndpointPerfCounters.h 2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_b56ea68d6f5d8c222857634052c9fb29_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5c5b2efe1d87db6a158edca9d3c5fc1ea
SHA1dfd629913338359d733acddd82e194ba8fbda1e9
SHA256d489c7e0958278ad56c28b37302e70926490a0119629ec1ade55e5b948a4df99
SHA512474c6f8720d8f5b7b583aa9b529e6515888f09ccd60e70a5b33984371515ac45ec6e166fc812a1351543a9d70f419833488b392774a5bc99bc5c93713e9d6df5
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize5.8MB
MD5f0d23ee3134de7d7f910810ea97eb7d0
SHA116424cbe21b178545d7de638830d9ad7b4722cfd
SHA2566ee311703f6ed1e7531d9f04bd6845d51554296e163462e11606e2369ec356f7
SHA5129eda3ab24ca962125ac77a592cc3a25d2b540fbcfa9a84e284475de87c69dc85ed12f8e88ac9debdaf5b2e0fbf32e15789b4e2d83cac8ccb94d706421b2c18ac