Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-r5njtsdm7t
Target 2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 55af40f0064ee81eda1cdbabea8cc7a9e37087674ab518357f5f2455c177693d
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55af40f0064ee81eda1cdbabea8cc7a9e37087674ab518357f5f2455c177693d

Threat Level: Known bad

The file 2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing

Gofing family

Renames multiple (51) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:46

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:46

Reported

2025-05-03 14:49

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (51) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\twext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\wcnwiz.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\imapi2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20949.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msvcp110.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\comsnap.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\objsel.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\reg.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\urlmon.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\audiodev.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\rastlsext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Group-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\FolderRedirectionWMIProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-Common-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-Payload-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\provplatformdesktop.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-ApplicationGuard-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.488.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-Common-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDUSA.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\imagesp1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MUI\0411\mscorees.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\XInput1_4.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\diskmgmt.msc C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\odbcconf.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\powrprof.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\scrnsave.scr.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\IMAPIv2-LegacyShim.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Boot\en-US\winresume.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-KeyboardFilter-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MUI\0409\mscorees.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterEncapsulatedPacketTaskOffload.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\asycfilt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\tzres.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ConfigCI-Onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.UI.CredDialogController.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mydocs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\iscsiprf.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Containers-Guest-Shared-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DeviceCenter.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\uk-UA\RunAsHelper.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\SimAuth.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.488.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\fr-FR\MSFT_WaitForAll.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_TcpIpPrinterPort_v1.0.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\itircl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mobsync.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\oflc-nz.rs C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Globalization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-locked.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\virgo-new-folder.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-selector.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\he.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\http.luac C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\ur.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\mspdf.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\204.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Safety_Objects.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.NativeComponents.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\avutil-56_ms.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board_light.css C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\161.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7} C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.IO.Log.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\EventViewer.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\DigitalLocker.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\fr-CA\bootmgr.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\arrow.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.scale-400_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\ServiceModelPerformanceCounters.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\MicrosoftEdge.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hdaudss.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscordacwks.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\MobilePCMobilityCenter.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\OOBE.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PeerToPeerCaching.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\UserExperienceVirtualization.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmntt1.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ndisuio.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallCommon.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.NetworkInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.NetworkInformation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\tcpip.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\fr-FR\M1036Paul.SPEECHUX.NUS C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\RemoteAccess\0C0A\rasctrs.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\es\Microsoft.Data.Entity.Build.Tasks.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Resources.Reader.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\normnfc.nlp C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Configuration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\XsdBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\DFS.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Msi-FileRecovery.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Focus0_48000Hz.raw C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\it-IT\M1040ElsaV2.nnm C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\bthmtpenum.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_61883.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\display.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\dummy.aff C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\XsdBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.Implementation\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Excel.Implementation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmbsb.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ValueTuple.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de\ServiceModel.mfl.uninstall C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\LocationProviderAdm.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\DeliveryOptimization.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\vga866.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\de\Microsoft.VisualBasic.Compatibility.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallWebEventSqlProvider.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Feeds.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\CtrlAltDel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\InetRes.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_6325b32ae13417a251ffba6407338f39_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 372d441b61983a54a1928ce7d7785a5b
SHA1 62f2c1435fa3ba6e018e0fe1cb6258d8091c8a27
SHA256 003b76dbb887fc1306a5f5a46e209b4be33103bcbcea04016d1c4e82f5fb5f32
SHA512 5ffd8df2c98c15bcd9fee4c58f1b4b78039817d7193824840c17a78b48d747790829f0e46a5a419faef7018316a67e81e9c7f18e84dfd5b53efdffca4b6d9383

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 43067815f9aec155c6709bc8255ad4c4
SHA1 af67f24fe5e51c3e4ba48a794b4fd3bef7eb1cfa
SHA256 7e0ec6732d67da139279b218b7d4989816e17ca8070047139b1dc6e437c825f7
SHA512 0d16a3815a833f3e9af16b2331a6b6b4dac67709270f50fb93a92dafd8b44bf01a4fc8a4b894c68a40743f22c575c95b68eb72aa39c0f9cd0fda7a9a97d82a4a

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 709840003e106cb5d05b19dcbc1b3da8
SHA1 270e01a978f355381da5526763931d0bb2f189f6
SHA256 572853de4678137c861a942c869b5f0c0713491c6f1f9493f17a4d35935f62c3
SHA512 38699bfa5348524e43255837ca8828ab99231f577b7289d806b6cbdf93639129bc2a67cc9b8d922f4ae526c33fbfc845bffaef90ee7f7f28b3aa1430cd9ebed8