Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-r9rr2svtey
Target 2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 e1d022ad5eb0ecee17695399bef467cd4727c35fb8a814d38414b7ec1a5b9038
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1d022ad5eb0ecee17695399bef467cd4727c35fb8a814d38414b7ec1a5b9038

Threat Level: Known bad

The file 2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Renames multiple (53) files with added filename extension

Manipulates Digital Signatures

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Drops Chrome extension

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:53

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:53

Reported

2025-05-03 14:56

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\webview2_integration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\HxRuntime.HxS C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Edit.AppTk.SceneGraph.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_da_135x40.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\index.windows.bundle.meta C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\lt.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\uncommon.lua C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\UIAutomationProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\VertexShader.cso C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_th.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Content C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_km.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsiProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Text.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\microsoft_shell_integration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Mozilla Firefox\xul.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigEar.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common.Native.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\bg.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ResourceDictionary.xbf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\h8514oem.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\aspnet_regsql.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.ComponentModel.DataAnnotations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.DirectoryServices.Protocols.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ICELAND.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.Build.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\aspnet_regbrowsers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\MSDTC Bridge 4.0.0.0\0411\_TransactionBridgePerfCounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Net.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.Transactions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\BITS\0410\bitsctrs.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows User Account Control.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_base_non_fips.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\System.Web.Mobile.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\SMSvcHost.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Web.Extensions.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0407\perfd.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\fdc.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr-FR\ServiceModelEvents.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\Microsoft.Build.Tasks.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\Microsoft.CSharp.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Data.Linq.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\PasswordValueTextBox.cs C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Web.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDHost.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_link.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\3bc7.msi C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\v4.0_10.0.19041.1__31bf3856ad364e35\Policy.1.2.Microsoft.Interop.Security.AzRoles.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ja\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\dv_aspnetmmc.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\mscorlib.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\vbc7ui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\nokia.browser C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_working_l.ani C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\WsatConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\smaf1255.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hidbthle.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\it\Microsoft.Build.Tasks.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\CvtResUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardInit.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.NetTcp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\MIGUIControls.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Abstractions.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Web.Abstractions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\cross_m.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\c647.msp C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.CSharp.targets C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Activation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\comici.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\de\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
GB 88.221.135.0:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 747f823d41dab1879f6d77e84bf16430
SHA1 4d1e5ec89d24338146d72378b4be19167493be31
SHA256 188711983a350dbdb32860caf19211ecbd73adcdcfb3435a3e22bdcdbf9994b7
SHA512 6d706fd1586a790f7f7d072db2f0ea0a0260df7918d220c4785e058bae81df3ad9ec313f7cc75fb4765855ec85f95c2ca9532739eca6ebbff88b3e69603772d3

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 4c1848cf2c451db11510150866fb0b2f
SHA1 1e405a3dfe8a5136fbee193f73be2d3cc2ebb07f
SHA256 91a8b0f278dd20d338156d68c77457c7375028948fe875f685f2874c2d356260
SHA512 891a952f78bf0cacfab1ae66ae56d3321edfe4ec426d9951f813a5a46c158c0148a73b4608ab972d35c905f01694d7f97d523e4bbcf573352b8006bfdf6352ff

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 df4be27742eee1fc41aa704c3edceb56
SHA1 4d6626aec15a3889f80302bfe4cf7cf017a5e410
SHA256 a182bf63caab9b63e7b7025389a2b3926711fe185d5900323b951ec70b33a363
SHA512 d11645f782757cb12bcf7003c3e0ab16ae04af37e82d70412afeb76580d34f40eedd6042e9e1f0b41b0c7d71ef02b8c1444e163ecbc5ef23e5263d228c0794a6

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 14:53

Reported

2025-05-03 14:56

Platform

win11-20250502-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (53) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-2329104403-2882594830-3136665766-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}1041.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\gpprefcl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\tcmsetup.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\at.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mscorier.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\secproc_ssp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\systray.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\PhoneUtilRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\DiagnosticsHub_is.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SearchIndexerCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\pots.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\WebcamUi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\WebcamUi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wiascanprofiles.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-IDE-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-Identity-TenantRestrictions-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\mmc.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\PSModuleDiscoveryProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc140u.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-ModernDeployment-OOBE-Package~31bf3856ad364e35~amd64~~10.0.22000.71.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-EmbeddedExp-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DNS-Client-Management-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinMsoIrmProtector.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\wlanext.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msmpeg2vdec.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\twext.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\en-US\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dbgeng.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\fwpuclnt.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\frprov.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Desktop-Shared-Drivers-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\it-IT\MigRegDB.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Nlsdl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\enterpriseresourcemanager.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\xwizards.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr\AuthFWWizFwk.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDCAN.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\Partition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rekeywiz.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\xml.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DIMS-Package~31bf3856ad364e35~amd64~~10.0.22000.194.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\chs_singlechar_pinyin.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\hbaapi.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppxStreamingDataSourcePS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientOOBE-Feature-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WcnApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.System.UserDeviceAssociation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WwaExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\compact.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\Startupscan.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\resmon.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\iscsiwmiv2.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINBE2.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Shared-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0010~31bf3856ad364e35~amd64~~10.0.22000.493.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Install-Group-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.VisualBasic.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\mt.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-125_altform-colorful.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Illustrations\icon3.scale-125_theme-dark.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\swscale-5_ms.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_GreenClovers_Background.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\sq.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\System.Spatial.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-20_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close_dark.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Runtime.Handles.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-32_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IAnimationStyles.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\MSFT_PackageManagement.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.TypeConverter.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\utilities\groupedList\GroupedListUtility.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebProxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\memoize.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.Xml.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleSplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\EFI\CIPolicies\Active\{5DAC656C-21AD-4A02-AB49-649917162E70}.cip C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\kd_0C_8086.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\StartMenu.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\TTS\en-US\M1033ZIR.Keyboard.NUS C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0C0A\odbcjet.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hidvhf.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Ringout.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Net.Http.WebRequest.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsMessenger.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\calibril.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Memory Cache 4.0\0C0A\netmemorycache_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1041\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\jsc.resources\v4.0_10.0.0.0_es_b03f5f7f11d50a3a\JSC.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\sdiageng.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_processor.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\e59e.msp C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.ServiceModel.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\vbc7ui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\WorkflowServiceHostPerformanceCounters.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\wait.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\sysglobl.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Speech.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\InkWatson.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_ew_xl.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.ServiceModel.targets C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.DirectoryServices.Protocols.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\1033\vbc7ui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\System.ServiceModel.Activation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\WindowsMediaDRM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\M1033Mark.keyboard.unt C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Branding\Basebrd\de-DE\basebrd.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ntprint.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\Microsoft.Data.Entity.Build.Tasks.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\napcrypt\v4.0_10.0.0.0__31bf3856ad364e35\NAPCRYPT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\SkyDrive.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\CtrlAltDel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_ca.t C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizard.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es-ES\ServiceModelRegUI.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Xaml.Hosting.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\DeviceInstallation.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size4_m.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\UGTHRSVC\0000\gthrctr.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmgl003.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\Microsoft.Build.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\wlansvc.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Setup.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\8514fixe.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_a3174b9e874a11e88e83ce11fdd021ce_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 04205ff7f04699f0bd7e458b9c3461fd
SHA1 90cd3e419bbf7c00eed4ec1bc51bd65a6ee17ce6
SHA256 4ac96ff0212136a1435cc98123b9011b9a4dd292439d57a3c2344d15d507cfa9
SHA512 ecfd1b6f16ca19a89c785a61db8b21f8e0552d2ede5fbe7ddf62b417481bea2de9281db258cb73cff209201b4a8c6a59ebd47642de5e350d5a589ce024ad5107

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 5749bdb90132b57e08dd047ce11d89d1
SHA1 2b00f1b431981123c64108f72c721d42257f4790
SHA256 e2a15a91873c6a5c7b1d669e2fe8f593911cf3540585bf8a62ace6082a794483
SHA512 0365827770fa9a259b7cd4c573300fa6d4242e959951c659a4e9ae16d2ed2c2a02c80d7dfe178ed84a006e22d0436d1c6ee1a34a83147f4972c7736998b5dcba

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 9780839246c3152f1b8b65a333f00510
SHA1 741edb7474a9cfd545fa5da21e8a12ea0b1bb399
SHA256 6a3b9e9cf85f725ccd726f4deafadab328ddbaa24cabf24f69b510447ac0f933
SHA512 34c8cbeaa7e35e3e0a315ac0b35af3175bb50847d2c5f3c525573431fddc7db89f85c772c80a1aae8de1cfb3ff6efaa06ce34cf5f98264227e3dc3aea8a12ec5