Malware Analysis Report

2025-08-05 15:09

Sample ID 250503-r8x8fadn7s
Target 2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 96c241a32de9593b69cc448b4b9caba623c1992a8c97986acb25b073931a7e2c
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96c241a32de9593b69cc448b4b9caba623c1992a8c97986acb25b073931a7e2c

Threat Level: Known bad

The file 2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Gofing

Renames multiple (52) files with added filename extension

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:52

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:52

Reported

2025-05-03 14:55

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\InstallShield\setupdir\000e\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MbaeApiPublic.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SensorsApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UXInit.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MSDvbNP.ax C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\EdgeManager.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDAZEL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NapiNSP.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PhotoMetadataHandler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UserAccountBroker.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\VES-Select.0410.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.ApplicationModel.Core.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\fr-FR\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UIRibbon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\de-DE\MSFT_DSCMetaConfiguration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DMRCDecoder.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\EnterpriseAppMgmtClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\ja-JP\IEChooser.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TapiUnattend.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDUR1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RunLegacyCPLElevated.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Devices.Haptics.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BthTelemetry.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MsCtfMonitor.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Storprop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\es-ES\IntlProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\it-IT\GenericProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\ja-JP\F12Platform2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEKR\imkrtip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEKR\imkrudt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SettingSyncCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\VES-Select.0411.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WMADMOD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ChatApis.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\ja-JP\MSFT_FileDirectoryConfiguration.Registration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MP43DECD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MessagingDataModel2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TokenBroker.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Devices.Radios.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CredProv2faHelper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DeviceDisplayStatusManager.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\en-US\FolderProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\MsiProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\EditBufferTestHook.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDUGHR1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SystemSupportInfo.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\comempty.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\LogProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\SmiProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\en-US\SysprepProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDLV1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\LaunchWinApp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Energy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppManagementConfiguration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dsui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINASA.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\VES-Disambiguation.0c0a.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Timer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_tr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Trust Protection Lists\Mu\LICENSE.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\webviewCore.min.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\hu_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxb.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_200_percent.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-300.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\officons.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Pipes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\pt-PT_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\es-MX\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Windows.Forms.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\CvtResUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppVClientWmi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Web.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\InstallUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\CredUI.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Wifi.ppkg C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Deployment.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Services.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.Web.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\FRSCRIPT.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\msjhl.ttc C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Speech Sleep.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Panther\diagwrn.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\sbscmp10.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\WsatConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Drawing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\DmaGuard.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\ja-JP\l1041.dlm C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\pt-BR\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework.AeroLite.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ja\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\RPC.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Display.ppkg C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\pen.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\de\SqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\sceregvl.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\vhdmp.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de-DE\ServiceModelInstallRC.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.ConfigCI.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\FileRecovery.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Provisioning\Packages\Power.Settings.Graphics.ppkg C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\IME\SPTIP.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1036\CvtResUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Utilities.v4.0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\es-ES\l3082.smp C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\tr-TR\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\ja\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\Microsoft.Transactions.Bridge.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Runtime.Caching.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Drawing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\UIAutomationClientsideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regsql.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\aspnet_regsql.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\vga865.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_09ec588a6e8bef9665bbece082fe4434_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 88.221.135.41:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 0c4a3a00ccd71753d62df72a8379ed65
SHA1 b5539a0cb022d486b7c9d5c94904635cfcd71ad0
SHA256 127536f93e107bed9ce622f5959294724e0637ced47e18d6acfbcab9a5e5ea6f
SHA512 58790eecc26e3dd03e1c438bbd04f5f9fdd8b4ed01d341d13745b125531df3b5d90c3e0e1636262b25ce1d0de47d1c8e40ecd94d6bd276b692edb751b0585526

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 524d3e67502e78074492d4c813b163ba
SHA1 5f6c56161863fb6d7a833abd6ce0cff372e4c121
SHA256 2c25da0145bd0fd8430bdb6e42adb4c71272ca4f7c2ec13dcaa8c07250889548
SHA512 08031ee9ced0a883d5943d4d22e0e3fd0369bc439c8ba2aa865fda3bd3e814cec126c3b07f55f23045f86a4dbd91020db2325541d5983c696fe1415e34e21f04

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 bca6e5a2f20cc578d2f7b7b8c2cefa42
SHA1 06d4623b19ff69b839193cfc4274c4fd953372ef
SHA256 12831477923ac80231ebe19cfd85d70db2d965e31e2d038558817383d36552ec
SHA512 f0ecd2ef39ac9866e4144e60578ce2d3dbe9c80e58b90de6c8a00fe9035ce7aaff9060817b9952c26222c6d3bfd690ad5468a734b43797823bb1987af7760ff6