Malware Analysis Report

2025-08-05 15:09

Sample ID 250503-r57byadm8z
Target 2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 8070e3ff42493652d57578555295648a86c0d4b2ad1bc5dc64d3a00ad7bc11f5
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8070e3ff42493652d57578555295648a86c0d4b2ad1bc5dc64d3a00ad7bc11f5

Threat Level: Known bad

The file 2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing

Drops file in Drivers directory

Manipulates Digital Signatures

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:47

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:47

Reported

2025-05-03 14:50

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\DMAppsRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\Microsoft.Dism.Powershell.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msscript.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\perfdisk.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rmclient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\tvratings.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package051021~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterPacketDirect.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\shutdown.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\isoburn.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uxtheme.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-Foundation-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UpdateTargeting-ClientOS-EKB-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\dot3dlg.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\netnccim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\mispace.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\mmc.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\sc.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\tapi3.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\BOOTVID.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20004.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Clipc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\P2PGraph.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServer-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\WLanConn.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalWorkstation-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\it-IT\F12Platform2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterAdvancedProperty.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msorcl32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\dot3.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wininetlui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~wow64~~10.0.19041.746.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\hgcpl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\UIRibbon.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\vaultcli.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\nlmcim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\mofd.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-AssignedAccess-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0113~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KeyboardFilterShim.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\elslad.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package01~31bf3856ad364e35~amd64~~10.0.19041.1151.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-Opt-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\stobject.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\qdvd.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wkscli.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ByteCodeGenerator.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DataUsageHandlers.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wextract.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_nb.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\PlayStore_icon.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\pl.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-250.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\vcruntime140_1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Context.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Microsoft.IoT.Cortana.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\zh-CN.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\fr.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker17.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ja\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Web.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Drawing.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\serifft.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\mscorlib.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ja\Microsoft.Transactions.Bridge.Dtc.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Csp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Camera.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Globalization\Sorting\SortServer2003Compat.nls C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Data.DataSetExtensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\arrow_rl.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\sysglobl.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\Display.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\System.Windows.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Cmdletization.OData.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\system.data.sqlxml.resources\v4.0_4.0.0.0_es_b77a5c561934e089\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\Report.System.Disk.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\SMSvcHost 3.0.0.0\0000\_SMSvcHostPerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\Regasm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework-SystemXmlLinq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.DirectoryServices.AccountManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAuthentication.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_person_l.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\IME\IMETC\HELP\IMTCTC14.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\normalization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Workflow.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_it_b77a5c561934e089\AddInUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.IO.Compression.FileSystem.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.Messaging.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netbvbda.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls\v4.0_1.0.0.0__31bf3856ad364e35\MIGUIControls.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Panther\setuperr.log C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\DiskNVCache.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\fr-CA_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\XamlBuildTask.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.DirectoryServices.Protocols.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\InstallUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Runtime.Serialization.Formatters.Soap.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Activities.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\fr-FR\Rules.System.Configuration.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\QOS.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Sharing.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\PAPYRUS.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\WindowsExplorer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\MSI.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\AppXRuntime.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\EventLogging.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-S-1-5-21-3674642747-2260306818-3009887879-1000.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\a495.msi C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_500c1f0c268f093905a1842bd4336a70_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 25aa7a53af5edcb74a8e62ea4d04bf48
SHA1 cd2d8040a976e8c2ad72711f23804443431635e2
SHA256 6439ed95be9f5f28f839673f1b7a4c36edfdbc22c432bcc1d7aaa40c12e0b43a
SHA512 65b95bbb2786ccb5301bbccdc46bc22e98b23267ae81f2bba5547d7786c9ebaee7da803d526d02daa96aa2089d5bdf1d633d50b8368d681e18319c6f55b4a644

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 c844f6944c836f194a14f86d9bdd21df
SHA1 a849f58827327df664cdb31cfa6a5ed06ac6eecf
SHA256 6156b5c3584cfc4be9e8f470e5745d2884653340a6154f03a0fd4824d4963e47
SHA512 d7035b7938cfb06831d4d4728f84941c724d837da9cd5437f912f4c82a45579de7146fa2927dbd4e4b49356b9fe0de6451239c5d6ac02076c23ecc169568e890