Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-r1nc9svsfw
Target 2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 0eaf026cf260392efdd3c75a698b380cb03ad3fa6a8c1ccf19a6e273990e9752
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0eaf026cf260392efdd3c75a698b380cb03ad3fa6a8c1ccf19a6e273990e9752

Threat Level: Known bad

The file 2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:39

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:39

Reported

2025-05-03 14:42

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IME\SHARED\IMEFILES.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCacheNetworkSettingData.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\MbaeApi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\logoncli.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KernelBase.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\StorageBusCache\StorageBusCache.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\stobject.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\wlanmm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\iac25_32.ax.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc120cht.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mmcndmgr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetTCPConnection.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\DeviceDisplayStatusManager.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\AccountAccessor.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\adrclient.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\csrsrv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\de-DE\DmiProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCachePrimaryPublicationCacheFile.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_Printer_v1.0.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\aadtb.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\themeui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\PSModuleDiscoveryProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDTAJIK.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wlanutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\osbaseln.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\ActionCenterCPL.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\NetworkItemFactory.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mavinject.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MuiUnattend.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RegCtrl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration_v1.0.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\comuid.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\avifil32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-GB\windows.ui.xaml.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\cmmon32.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\NetworkItemFactory.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\sapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\cmdl32.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\pots.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\PeerDistSh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\iertutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\localsec.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\tapisrv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVPort.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\MSFT_DAConnectionStatus.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\uk-UA\MSFT_EnvironmentResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wcnwiz.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\SMBHelperClass.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\joy.cpl.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\gpsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\raschap.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BrowserSettingSync.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDLT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDMYAN.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PeopleAPIs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetTeredoConfiguration.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\clrhost.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\dot3msm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\xwtpw32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\ControlStyles.xbf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Formatters.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_signed_out.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-54_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Tools.Windows.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso0127.acl C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-64_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\redact_poster.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotThrow.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\ServiceModelEvents.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.xml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.Design.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.Web.DynamicData.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsMediaDRM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\DataCollection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\ReAgent.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\iaLPSS2i_I2C_SKL.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ntprint4.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\CvtResUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Runtime.Serialization.Formatters.Soap.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\Microsoft.VisualBasic.Activities.CompilerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Numerics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Duplex\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Duplex.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\lt-LT\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\constanz.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\de\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Runtime.Caching.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\LanmanWorkstation.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\uk-UA\SystemSettings.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\flourish.mid C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.Compatibility.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchemaUpgrade.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Cpls.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\EventViewer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Deployment.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Management.Instrumentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.EnterpriseServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.Vsa.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja-JP\ServiceModelInstallRC.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.Concurrent.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\UserProfiles.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\TAPISRV\0000\tapiperf.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\InputMethod\CHS\ChsPinyin.lm C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Web.Entity.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit.resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\napinit.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PenTraining.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\RemoteAssistance.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\AgGlGlobalHistory.db C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mlx4_bus.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHost_v0400.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Runtime.WindowsRuntime.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\ReAgent.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorpe.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Runtime.Remoting.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\WindowsRemoteManagement.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\it-IT\it_IT_word_c.lm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Web.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ShellWelcomeCenter.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\FileServerVSSProvider.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Memory Cache 4.0\040C\netmemorycache_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.scale-150_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\SqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 88.221.135.58:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 d4bd57d6b5cc9dda845984a1bbb8ddb8
SHA1 4c332dc676798386b7d7b3d2616da1243a1188f3
SHA256 85d5eb75738431e3a5486fcdaee9c5b1debc7ddd4e5e0e4496ab8e9e97e9ced8
SHA512 ddb24b21cb38dd4f0daf48de177439af59ff6eab4bcedfe1f3e2ad92eefa758d8d16b55f7a4b45a8cd2d2446d0577b7a2a917aae74b01accb78850539295bff2

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 e1109ef55c3bd36333ea2b9f5192dcc5
SHA1 f249e63eba8f33f59f6aebb476806a13e01a8982
SHA256 3b7a1fbdde2f452a9d34a6c7f9bd7e909e9dbb820352139d1cb4aeb64e1a830e
SHA512 188d48605f117932458fc9915a5248f8ae0399b11c1a3c98b5b18c0054e40bee5bf4ad83eaa80d56e4f4898c64a0643325e3ee8287a6065eff4d567bc09e2fba

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 e3117484c02fae912cdd1680f5abaea2
SHA1 9b6a20ef924008b4a95a3e960f6b3493343c1477
SHA256 5c9e4999ad911c58a839a770c9e76b4d1352ba583936e5decb7c7e3c2de8f033
SHA512 c3c492a54f5f4fbb768b4326c6e43aef1f558ca7f86c59a63653c23f0d17c23878f3a344ac35ad8f64a7a8d18edb16caff3d7edcbb7f44053b11340daa340077

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 14:39

Reported

2025-05-03 14:42

Platform

win11-20250502-en

Max time kernel

149s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\scesrv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\NETAX88179_178a.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IasMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\d3d9.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\netttcim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\WMICOOKR.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Boot\ja-JP\winload.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\ts_wpdmtp.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINBE1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDUK.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\spp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rdvvmtransport.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CXHProvisioningServer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-LegacyChipset-Package~31bf3856ad364e35~amd64~~10.0.22000.348.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\c_fsencryption.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_15e93601cb9cde54\uicciso.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\virtdisk.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\netshell.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\hidserv.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-ApplicationGuard-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.37.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Com\ja-JP\comrepl.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\Data9377_2_0.msc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wudfrd.inf_amd64_7e92bb4a6d306eb1\wudfrd.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\vstxraid.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\msacm32.drv.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectPlay-OC-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSHeadless-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\FXSEXT32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wininet.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20005.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_202973c89a035606\MXDW.gpd C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-SD-Package~31bf3856ad364e35~amd64~~10.0.22000.258.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbohci.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AssignedAccessRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\uk-UA\F12Platform2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-EmbeddedLogon-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\qcwlan64.inf_amd64_71c84e1405061462\bdwlan_qca6390_2p0_NFA524_DE_1902.elf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDYAK.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDNTL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PresentationHostProxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wwancfg.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDHAU.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\miguiresource.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Graphics-IndirectDisplays-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LanguageFeatures-Basic-en-us-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.22000.348.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\61883.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\iaLPSS2i_I2C_BXT_P.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Boot\fr-FR\winresume.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CscMig.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\authfwgp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\wsp_health.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\keyboard.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Tentative.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_elf.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherMedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebSockets.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\MEIPreload\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\eventlog_provider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\types\Theme.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-125_altform-colorful_theme-light.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\Breadcrumb\Breadcrumb.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\he.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\ComboBox.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SnipSketchSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymt.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\icudtl.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\uk-UA\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1253.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\aspnet_regbrowsers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.resources\v4.0_10.0.0.0_es_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.AddIn.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsFileProtection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\pris\resources.uk-UA.pri C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.Compression.ZipFile.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\CipherSuiteOrder.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\NetworkProvider.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\SoundRec.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\iaLPSS2i_I2C_SKL.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\seguibli.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1251.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\vbc.rsp C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Numerics.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\bcmfn2.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QRCode.pmp C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.xml.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\AddInUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Messaging.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Entity.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\sr-Latn-RS\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmpn1.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\WindowsFileProtection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\Apps.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_minimaltrust.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Data.Entity.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.IO.Compression.FileSystem.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Web.Entity.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\it-IT\Report.System.Wired.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationTypes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.Linq.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Activities.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tracing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\qd3x64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\IdentityCRL\WLive48x48.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0410\mscorsecr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Core.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Workflow.Runtime.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\en-US\Report.System.NetDiagFramework.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\NewsAndInterests.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\DmaGuard.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\constanz.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\v4.0_10.0.22000.1__31bf3856ad364e35\Policy.1.0.Microsoft.Interop.Security.AzRoles.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Windows.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_458ac649d306548cb8790ba14c527d45_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7z.dll

MD5 1feb0b824d6b1d033c6ae867e27f1ba9
SHA1 99f1dd68c548506ce651933a33c9537fc5936880
SHA256 28755826d3662dc7b9de71c983fec11f10d6e8df31f72b4b8a1f798b5fc62753
SHA512 64e3b6a0e998392f257b8c2415da6eab5100b0db068330a07a3ddc195e9f9ad2dfb45b301ee3a139fc8752659d7ea38289bd08486abcfba7719b73a01a799347

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 defb9e4fb389cac9440a6562a254f7a8
SHA1 5220b2e5dd2f9aadb11a2c2231f20f1fcf4db886
SHA256 471dbca58b9ae4a4c3961beeeaaf332451f76c9074e78615342c9bdace4f0bee
SHA512 03bc901bfde83f8cea36676cb0085f0e5616669bfd2623aa8a29e65e8357f3e783007c52f188646c0980270408a711b4514e42bb6271894ae619c018a4aac4b7

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 84eceae5206a8dd3072b02b1f5fc3e81
SHA1 d5fd0b1f9e2f75a380a4ae31163f94a4e1481a43
SHA256 1d007ec3b29af77924abd208e25a398af8e43789fa207e10e25fe7800e6e365a
SHA512 6d568ba4ad8662b636b4c64419e045e501d99414974dd566aaf21c531c983c55b88b71458504fa6175acc8fa35f728667805c00c76ba7fb621c0989bab261f65