Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-sjg1ladr8z
Target 2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 d1ef69bbe35986e172c559cd4b69332ec2f8e195a287838b9c998fc773669ce7
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1ef69bbe35986e172c559cd4b69332ec2f8e195a287838b9c998fc773669ce7

Threat Level: Known bad

The file 2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Drops file in Drivers directory

Manipulates Digital Signatures

Loads dropped DLL

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:09

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:09

Reported

2025-05-03 15:11

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3920234085-916416549-2700794571-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\iasdatastore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\nshipsec.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\mispace.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\l2gpstore.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\wscenter.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\InstallService.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\dot3msm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\netcenter.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\migration\WSearchMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-PowerShell-Module-HyperV-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\es-ES\F12Platform2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\npivwmi.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\fr-FR\MSFT_WaitForSome.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\tapi3.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\qdvd.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\netdacim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\wsp_sr_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Composable-PlatformExtension-DragDropCommon-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Chakradiag.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WSHTCPIP.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\ConfigCI.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\dsregtask.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iemigplugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-PowerShell-Module-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\SyncRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\msfeedsbs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\netdacim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wship6.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\Windows.Internal.SecurityMitigationsBroker.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDLT1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RMActivate_isv.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\glossary.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dbnmpntw.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\adsnt.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc100fra.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\wsp_sr.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\winrssrv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\F12AppFrame2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\localsec.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\opencl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CameraCaptureUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SCSI-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Media.Streaming.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\rpcnsh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\wlanutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-KeyboardFilter-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\UIRibbon.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\ServDeps.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppVPublishing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\uk-UA\MSFT_ScriptResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mscpxl32.dLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\PrintManagementProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AuthHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-PowerShell-Module-HyperV-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\fr-FR\ArchiveProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.PhoneNumber.ot C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Net.WebHeaderCollection.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\DemoModeInk.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\fr-FR.mail.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_en-GB.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\clrcompression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker31.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.AppContext.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ApplicationId.Framework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.StandbyActivation.ppkg C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\tr-TR\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\iaLPSS2i_I2C_CNL.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\iaLPSS2i_I2C_SKL.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\JSC.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\Sensors.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\es-ES\wp3082.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Schema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Web.Mobile.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\es\Microsoft.Build.Tasks.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\XsdBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\it-IT\Rules.System.Network.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\WindowsFileProtection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\move_im.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\fr-FR\charactermap.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_mediumtrust.config.default C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Runtime.WindowsRuntime.UI.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Services.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Web.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Desktop.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\DCOM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\CloudContent.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.StackTrace.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\WsatConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Microsoft.Build.Conversion.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\aspnet_regbrowsers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\fr\SqlPersistenceService_Schema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\de\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Xml.Linq.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsData0009.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Sharing.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\SmartScreen.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netvwififlt.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\appxsignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\Microsoft.VisualBasic.Compatibility.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\ServiceModelPerformanceCounters.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.AddIn.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\de-DE\Rules.System.Common.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\ServerManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\UserProfiles.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Deployment.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netmyk64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr-FR\PresentationHost_v0400.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Web.DynamicData.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\PeerToPeerCaching.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_pin.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\courbd.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\ja\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Web.Entity.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WMINet_Utils.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\TaskScheduler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PerformancePerftrack.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_c9de499faafeb8822a7b4e8a8f8b4db5_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 7c4a1c3394b621ce9a6ad29bfb99e922
SHA1 ea5399c799338fc325ca4082cbd2a7ce4d15c50a
SHA256 a350b1555b0a6cdba7ee3a55c05bc1e95208a5126ef6f497137a3997ad169212
SHA512 47a6d13ab8eaa3c6a758c159866e1940c83275380d3108aef1a4efcd974f63b94f0a4193a6839c744a49ad59f652243ed5eb968e63dbb8c393601e0a8d5dd021

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 0f24c0d788900c8a3d784b5fee6dd228
SHA1 7d37e938b7a79d28b0158f7c0376891b065c57b6
SHA256 c16664a5b9d9f7c2e891a7b318ddb7e7f3817be96b0a8bbc0ac95fff6ef4a830
SHA512 a60711dea5087d64671b95b0a6b96e8b810d25f48baa4ceff47e849d2c742b756704a3d463ace7b8af06ff3d4af717d93969087d332781f28af31270fd0c2b11

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 6493102987f2f9a7aa86f8d25f99f8df
SHA1 6648478d1aa8e29b6eb41e631a1acd45061f1602
SHA256 fc764a54c73764638a5c6b67f06bdeed359e17672ba2e711aab7d70718ce7e3d
SHA512 0eec7b49e01f35656d306e7319cf345a8c2662a22a0ea9b0282dc12f81f56af468d9d32c30ab87144eed73177d0f0cb8c218d042c010e57a5ab8ce70090c9e77