Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-rm5emacr41
Target 2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 6de1bb89ff8ee2fee46443813f4e134d298789a24a4dcb6dea73ec005552966d
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6de1bb89ff8ee2fee46443813f4e134d298789a24a4dcb6dea73ec005552966d

Threat Level: Known bad

The file 2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Manipulates Digital Signatures

Loads dropped DLL

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:19

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:19

Reported

2025-05-03 14:22

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SettingMonitor.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TrustedSignalCredProv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WEB.rs C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja\Microsoft.Dtc.PowerShell.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\WindowsPackageCab.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\MSFT_RoleResourceStrings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\MSFT_ScheduledTask.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AssignedAccessRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ConfigureExpandedStorage.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPKDIC.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NetSetupEngine.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RMActivate.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\Microsoft.AppV.AppvClientComConsumer.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterBinding.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CameraCaptureUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DriverStore\en-US\prnms003.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\OneDriveSettingSyncProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PCShellCommonProxyStub.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\en-US\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\it-IT\PackageProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\ja-JP\MSFT_WaitForAny.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\powershell.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DevicePairingProxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\FWPUCLNT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CapabilityAccessManagerClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DaOtpCredentialProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDUSR.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVmq.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\Test-NetConnection.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\MSFT_GroupResource.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\uk-UA\PackageProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppVSentinel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\res\padrs411.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDLA.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDTH1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SensApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\en-US\sapi.cpl.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SrpUxNativeSnapIn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesPerformance.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0008\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDUK.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MshtmlDac.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\ja-JP\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetIPsecMainModeRule.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\ja-JP\MSFT_LogResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbSession.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ActionCenterCPL.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\es-ES\IEChooser.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\PSEvents.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WwaApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AccountsRt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\de-DE\LogProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\VES-SeeItSayIt.0407.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\es-ES\WindowsPackageCab.Strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\MSFT_WindowsOptionalFeature.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClientPSProvider.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSISession.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CallButtons.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.Preview.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\tr_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\ro.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Emit.Lightweight.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Shutter.m4a C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\icudtl.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\cacerts C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks_webp.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso0127.acl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-selector.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\sv.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\PCAT\bootmgr C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\v4.0_10.0.0.0_de_b03f5f7f11d50a3a\Microsoft.VisualBasic.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\fi-FI_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\beam_rl.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\InputMethod\CHT\ChtChangjie.spd C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_working_l.ani C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrcompression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit\v4.0_10.0.0.0__31bf3856ad364e35\NAPINIT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl\v4.0_4.0.0.0__b03f5f7f11d50a3a\sysglobl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\smalleg.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_fscompression.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Linq.Expressions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Presentation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.ServiceModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ShapeCollector.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\DeviceCompat.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\MDM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\l1033.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Design.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.Drawing.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.rsp C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.Web.Services.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\XsdBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\ComSvcConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DSC.CoreConfProviders.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.DSC.CoreConfProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsAuthenticationProtocols.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.windowsauthenticationprotocols.commands.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\simsunb.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0000\PerfCounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\Microsoft.Workflow.Compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler\v4.0_10.0.0.0__31bf3856ad364e35\TaskScheduler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033Eva.BR2 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\Resources\en-US\bootres.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Management.Infrastructure.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\TTS\en-US\M1033ZIR.Keyboard.NUS C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\Globe.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Data.OracleClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ja\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\System.ComponentModel.DataAnnotations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\ShapeCollector.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rt3d.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\mscorrc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\AutoPlay.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\PowerShellExecutionPolicy.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_d58891805e4d4180c404406772b41030_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
DE 142.250.185.131:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 c0f5902b51211a79286bba02d26d3d85
SHA1 2cfa7155d573509b1f5cda446a02f55ccc1f18fa
SHA256 9fbfe860bb38dbbe01fad0a21d78bbc9b49616f3da04edf36edb3fe90786428e
SHA512 1ba2dedd3454ce2012b16fc70862292352c5d66e788b707e5e9a7de5633f736e391540122381f68bda6491f91911cb08966fb75390c1d52b1575c7277555e35a

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 5414ba982133dfa73c618981021fdd80
SHA1 b41dfb326c47e4ca35f01f04554e1b72f02915b3
SHA256 828a8d94a85674b26636076cc12e9eace36bbaca4c595ed92316445ae42d262f
SHA512 7d25eacd2740e79079e02e9f29cb4036a388a7ed4ea1eed930fb07d3edd3efefb272a247183f83909725d5724d5d51b3af6294caff622fd9eb64be1419f26e99

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 f36b26e0adbe2b153757b5eaa74fab86
SHA1 1755175ef81a8f2e4adfd701f089ef863553400c
SHA256 ff2d8b39d91d96f4aad3ffb532682f264b2170ec31b8cb0d55584969dacdd098
SHA512 549b66ed97cda5da00c4f1bbe710acea11c2f12decb6041aa5a52420b9edab667e9628612f6ce3ba0222c85fc40628af798b995f36c0fc5a93378ebdbfbae23b