Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-sfyh6svvg1
Target 2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 f032af7f19f6f8271d9ebfbd15c5dcaebc93ec5f2b155c30429363e1c887dcae
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f032af7f19f6f8271d9ebfbd15c5dcaebc93ec5f2b155c30429363e1c887dcae

Threat Level: Known bad

The file 2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing

Renames multiple (53) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:04

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:04

Reported

2025-05-03 15:07

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dism\ja-JP\DismProv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\explorer.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dmcompos.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dmstyle.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WMVXENCD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\MSFT_NetNatSession.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\serialui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINKAN.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SensApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\ActionCenterCPL.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\msfeedsbs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0014\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventSession.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\WsmRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Display.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterSriov.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dataclen.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\edgeIso.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\rdvgogl32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\sppc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Graphics.Printing.3D.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterRss.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\xwizards.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\VAN.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ActionCenterCPL.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DaOtpCredentialProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterLso.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cabapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\API-MS-Win-core-xstate-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dssec.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\provplatformdesktop.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PeopleAPIs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UIManagerBrokerps.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\VES-Disambiguation.0410.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetConnection\MSFT_NetConnectionProfile.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\msvfw32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\wavemsp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\winmsipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\iepeers.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetIPInterface.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cryptbase.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\ir41_32original.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\SyncRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DiagnosticInvoker.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinMetadata\Windows.Networking.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\Windows.System.Profile.HardwareId.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SettingSyncHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WfHC.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\Microsoft.AppV.AppvClientComConsumer.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\Microsoft.Dism.Powershell.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventWFPCaptureProvider.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MSFlacEncoder.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WMVDECOD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\chkntfs.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDHU.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVFPProvider.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onintlim.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-1.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\tokens_enGB.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.css C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\rtscom.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\cy.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\Cavalier.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\YelpLogo.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\171.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppValueProp.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\MEIPreload\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\PRNDMediaSource.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\de-DE\Rules.System.NetDiagFramework.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ReAgent.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\System.ServiceModel.Install.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.Tasks C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.ServiceModel.Channels.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.ComponentModel.Composition.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\tn3082.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\de-DE\M1031Stefan.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.OracleClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ObjectModel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PushToInstall.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\kd_02_1969.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ThirdPartyNotices.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizard.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\EventViewer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\s8514oem.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\circlass.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\Sentinel.v3.5Client.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it-IT\PresentationHost_v0400.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ApplicationServer.Applications\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Windows.ApplicationServer.Applications.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\Logon.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\System.Web.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\System.Web.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\EventLog.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmusrsp.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\v4.0_10.0.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\v4.0_10.0.0.0_it_31bf3856ad364e35\SecurityAuditPoliciesSnapIn.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\DeviceCredential.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\Regasm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationUI.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size3_im.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe.manifest C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\GlobalMonospace.CompositeFont C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework-SystemCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DSC.CoreConfProviders.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.DSC.CoreConfProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\GARABD.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Web.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Regasm.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\Regasm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Shell-CommandPrompt-RegEditTools.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\Snmp.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\cambriaz.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QuickTime.mpp C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.IdentityModel.Selectors.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.X509Certificates\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.X509Certificates.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Channels.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\System.ServiceModel.Channels.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "937" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "904" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "881" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "937" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "904" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
GB 88.221.134.249:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7z.dll

MD5 f17a96f168083d667df08f23f394bc94
SHA1 777c7850027948dfb03609ffe20aadc699bbe2bb
SHA256 fc4dd24357a3a7f5005812d238507db89bb30a57d9434911d9dbd71bccaa23f1
SHA512 a85a7af3435731571482a19a1c552eeadff72361e03e99e8d63ddab735939685f2e9d76894ada1313a324594628d2a215396a1888ca2768d4e2804e2d25aca5f

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 97aad85a9d4b8f339e00729d977640ee
SHA1 69861e79676800bb0ce299846f06674095a5b7ee
SHA256 9ac4f688229f323c1dfa77bf5ee54dfad1c7c5236a06580f0feba4ea1d045c17
SHA512 b4aec15e47f88bc56ccb4e44bc19f5ffc8c771c81ed762dab914feca21c14ea6972a711a9b606e1e99aa4e901b427bf4983f9dfbd78ad5402574f036e316ad25

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133907583940398478.txt

MD5 8f8b6431df6661fb9dab8a89c7f8140e
SHA1 c08e03666e8097fe5fd53aba0543c5ad0f5e902d
SHA256 73c0bde22714885c7b5d8097c39236ed99c4f7d52ef5d48772819f859b1e6bf0
SHA512 d8854599c951460100584caa01968bcc1b7b23bba50e17c619f47167a4b4b683170f68c72743a38130ef2597b84f688d3e8462f5c5a48b4aca4fa7331c855b26

memory/2216-5732-0x0000016FDEA50000-0x0000016FDEA70000-memory.dmp

memory/2216-5738-0x0000016FDEA10000-0x0000016FDEA30000-memory.dmp

memory/2216-5739-0x0000016FDF020000-0x0000016FDF040000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3FESS8ZQ\microsoft.windows[1].xml

MD5 85bdbabc7b95040643d10928ec751042
SHA1 1729eb81300828f45121282bd78e7d8edb60806d
SHA256 e82b2adb9d4a506a15db5a5e124fee0a74c9eacd3d92421afb0ab8a141ed928e
SHA512 6dd5a984d367d979909a430b64a8031c75ee27ac69b63ac13f4f5c311030b52a6ad7f49b997812d8c049f8275d25d214979c3fd907f738b46dbe239f966e4e31

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\Apps.index

MD5 0dbe9680d1e2119057acaf423cac748a
SHA1 ee99936909d9c339cba0c9f515f855d1bc9b318f
SHA256 4368c307c6e0a3b5fef53ad12b841d599f26f9c7f26ca1e21e0dbc439a238ff9
SHA512 fb9afdadfd63649132d052e28f1daee9e3ae56fa00d898754278ef7d9d7c447ec33f3668780b220553528551a179afb20aee84549205c379d75fab8d6b6210da

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\Apps.ft

MD5 77aaf7085b78aabccf5b1bae1da22bbb
SHA1 9d4785556cfa5ca1e232a88894eed1c66f348501
SHA256 c37e3d096fb087e56f22c35b08334be89d5708456c570d65c11cba99a27e3c59
SHA512 ab83ca6db7f529709b3327ccb49ae6f2a2ad65f1e7ca9ee09824ad0017c4cc8cd57c6effbcbbc83225ddfbde7ee4bafe226d2344b3b670a6723457b75cbf0c1a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\0.2.filtertrie.intermediate.txt

MD5 c204e9faaf8565ad333828beff2d786e
SHA1 7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256 d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512 e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\0.1.filtertrie.intermediate.txt

MD5 34bd1dfb9f72cf4f86e6df6da0a9e49a
SHA1 5f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA256 8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512 e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c7fbe2f-f72a-4eee-9702-f213ea3d07bb}\0.0.filtertrie.intermediate.txt

MD5 936b0a778aa1be7e3034258367c98689
SHA1 1f488a47008c9ffe3643e1473208b30c6c8849b1
SHA256 5403748cacc0090701bb9a3982a3059ebe25d2be35e7a8ff93fccbee66a7e408
SHA512 13b8c495f05c15809a1de5ab37f583f1813b299e609518e1b2d78986436d945de1c0595ae8e1c839ca7f8db8404eb7efb817f8532e86c8f62884534a1921ca56

memory/2276-5843-0x00000247FCAB0000-0x00000247FCAD0000-memory.dmp

memory/2276-5858-0x00000247FCA70000-0x00000247FCA90000-memory.dmp

memory/2276-5876-0x00000247FCE00000-0x00000247FCE20000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3FESS8ZQ\microsoft.windows[1].xml

MD5 9d878c5b559e2a15ec6ab81004c9d4a9
SHA1 93376927b9b2ec0dd922cc07df9a8292449c29cd
SHA256 a2ba68b4e9c61181288bb42d19bbfe68abd2966ced20bd1dcc8db80a28e570e5
SHA512 8e078f7c43026138dcd94ad93e809cd3d5b35457ffec212ee2d576af81450ed0b3de18bfb1e00d5b0bb3890eadf861d8afb82b2c0fc42ada1f226788038c9f5f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 394eee57a915956e69aaa3924ec4a53a
SHA1 d3f15274f0f9bc5c407e9216b920e5e3d3fd634a
SHA256 772c41e3c193e9be30336afdecf3a786d204e3e5f2e11ce30111943ab2fc0678
SHA512 584ed5d6ac53f06a9acb67705810739292b337ae819fe92657c355429621e87782eccf74c592b1a8a8fa88954431ddc6c5d1fc28c22836c02ac6fe7781ed7101

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 edb28f6a770ce465924c1b00161bb778
SHA1 6e847491e183a8c32242e47baf41d1299ffd115a
SHA256 cbb02e12ee5a1a4a6edaa847ee9b27a6519b4cd49166f4f22c8791a5e50922b9
SHA512 f43d354f5c7c4f87572485485e4e2bec9e89e86c38382841e40ff328b02110ba419227170605b3bf5480ddcb4b33aa99a511a5887381c060185e17bdc49e1061

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 2e2818d813637ed7f3c5b476d9d96856
SHA1 07c8ec4eba6c7b2cbac7338179ebbbbd4f1abb7f
SHA256 310947b352ad904a52a9f77a6f85badb8a893352ba81c66ef735dcadde163616
SHA512 9472b6d26b5a342b05d5e92220f6a488b26433a02439c89d53032ce10ec7b20ba9bac2184bb5a2154f5b52f7c43ed0ac67fe0ffae0868efc000d7c18a3ed82dc

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133907584000315718.txt

MD5 aaabd569f8458096c85f02092eece5aa
SHA1 ad838436d0250be0c7520a1cbc7c72ac9365fe5b
SHA256 d1e73bf1854ebd1a75ac8267c868fc124b3fab9b500596e6ddc784d60eaa2b79
SHA512 70909a99c225efccc030c5f76176e2efe071518fc6a1317bdb2da6732609e6eef08a3ad9cc9b0daf42d5ce678f3ac2584ec4162c7afe019ea7aef158a184ecdc

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{52d8ec9e-3dba-488b-9bec-7dbb3a1b12ba}\appsconversions.txt

MD5 bd80c5bdf003b5858da6e9f8dd956da6
SHA1 a5ca3cb203224f8eea4de4519c5e35deb9294f0f
SHA256 c855aa25cd1ec3c957d2c695752808adfbddf8ff3f98efc6162e1c04336e84d0
SHA512 b735baff690e16b0cf1d2aba46e47bb490651313956e9379f124e04db426f6c01eb63e1122836a76d4abd805e8b2a82d11eb9026774eadba4b543c1aa8b69dc3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{52d8ec9e-3dba-488b-9bec-7dbb3a1b12ba}\apps.schema

MD5 1659677c45c49a78f33551da43494005
SHA1 ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA256 5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512 740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{52d8ec9e-3dba-488b-9bec-7dbb3a1b12ba}\apps.csg

MD5 5475132f1c603298967f332dc9ffb864
SHA1 4749174f29f34c7d75979c25f31d79774a49ea46
SHA256 0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA512 54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 15:04

Reported

2025-05-03 15:07

Platform

win11-20250502-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (53) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-2117256398-1057710415-2142084777-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dism\ja-JP\MsiProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\MbaeApi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\UserDeviceRegistration.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Dism.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-CustomShellHost-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-dcomproxy-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-runtime-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\house_32.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fmifs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\wininit.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-AssignedAccess-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MDAC-Core-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Devices.Printers.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\provisioning.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dhcpsapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fundisc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\xpsservices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.22000.376.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Management-SecureAssessment-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\FamilySafetyExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetIPsecPolicyChange.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\XInput9_1_0.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc110jpn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\wsp_fs.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Internal-Graphics-Display-DisplayEnhancementManagement-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\ja-JP\F12Script.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\iscsiwmiv2.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ComputerToastIcon.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-UtilityVM-Containers-Shared-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteDesktop-UserModeRDProtocol-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteDesktop-UserModeRDProtocol-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\msmpeg2enc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\migration\SxsMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wdigest.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20001.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-CloudExperienceHost-Appx-Package~31bf3856ad364e35~amd64~~10.0.22000.176.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-DriverClasses-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-triggers-Opt-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcTransactionsTraceSettingTask_v1.0.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dxva2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_1149.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.282.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetDnsTransitionMonitoring.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\APHostRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\ncpa.cpl.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msrepl40.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\spfileq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-Interop-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-IoTUAP-ShellExt-Tools-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\BWContextHandler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\ir50_32original.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\globinputhost.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CameraSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-64_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Link.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\sfs_icons.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\AppBridge.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.Luna.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ca-Es-VALENCIA.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\cy.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Spinner.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation_Light.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\clrcompression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\GroupedList.types.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\customizations\mergeSettings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Social C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\TerminalApp\TabRowControl.xaml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\omsautimmss.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\Illustrations\errorIllustration.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\setSSR.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\edge_game_assist\VERSION.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Prefetch\PSEXEC.EXE-80F89DAE.pf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_gb_e C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\webengine.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1036\Microsoft.VisualBasic.Activities.CompilerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\ComSvcConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\AgGlFgAppHistory.db C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\ARIALNBI.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmsun2.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\en-US\Rules.System.Common.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\libeam.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hidinterrupt.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1036\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.DirectoryServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\Microsoft.Workflow.Compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\Microsoft.Build.Utilities.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\usbstor.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\ComSvcConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\DataSvcUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.DirectoryServices.Protocols.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Web.Extensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\TaskScheduler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0C0A\perfi.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Web.Abstractions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\WinMaps.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\InkWatson.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Sun\Java\Deployment\deployment.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\ja\Microsoft.Data.Entity.Build.Tasks.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\appv.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\EventForwarding.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\DWM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-FontSet-S-1-5-18.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ipmidrv.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Deployment.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\LanmanWorkstation.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\ControlPanelDisplay.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.Thread.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.ServiceModel.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\es-ES\Report.System.Summary.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Globalization.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mlx4_bus.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\pmem.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_difr.x3d C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\1040\cscompui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_b312be4969f3de211b46bb28fefc55bb_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 911b4ff05ece5ddb4beda0725697af03
SHA1 aa44373dfc7ad07ea18d6c38bc7bd3d5956c7d71
SHA256 c02d0a70f63fc630f4dd579d4e2dc0d266a51ea43e1859f229c031984a81dc38
SHA512 6b0d4435a684865317f4adf8b3112486ab68730f9097657632def037c37eb12753d4f2c2a03b5ead5ee36661c8f568d5de09c73f46dc03d4e24dee1f7bc4ba49

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 536082a301f39047ac397b2fd5bf5072
SHA1 e959dd96ff075fe3e0ad3939fa134af84d3d2b14
SHA256 9bc370c846fbb8d9e939e925ac5c284b4b5aba0dccece801527c54a3792bc82e
SHA512 e7652d4240809f69d9dd7be360ca5fb2947f1758968de140c2f0ecd3d976f2cd2c44678242f0b50f997d81b7d2afa520fe570f763ba7bc0e30f072440f13a30c