Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-smhfjaej9s
Target 2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 dc2c40b9221688ea1f08c3d8b9098f903cc72458bcac94382734e02e92dfd577
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc2c40b9221688ea1f08c3d8b9098f903cc72458bcac94382734e02e92dfd577

Threat Level: Known bad

The file 2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Gofing

Drops file in Drivers directory

Manipulates Digital Signatures

Loads dropped DLL

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:14

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:14

Reported

2025-05-03 15:16

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\DpiScaling.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NL7Data0011.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\accessibilitycpl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\mispace.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterEncapsulatedPacketTaskOffload.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\clbcatq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drtprov.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\stobject.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\it-IT\TestDtc.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetISATAPConfiguration.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fdBthProxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\mdminst.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\storagewmi_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\it-IT\MSFT_WaitForAll.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\delegatorprovider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\mmcshext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\@BackgroundAccessToastIcon.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DeviceDisplayStatusManager.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\Microsoft.AppV.AppvClientComConsumer.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iscsied.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDLV.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PING.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\l2nacp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\tapisrv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\onexui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msvcp140_1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Security.Credentials.UI.UserConsentVerifier.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\activeds.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msdt.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\API-MS-Win-security-provider-L1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\eapsimextdesktop.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msxml6.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\mswmdm.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\es-ES\BaseResource.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\cic.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msihnd.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\WsmSvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\th-TH\comctl32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\setupapi.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MSHEIF.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}1036.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\fixmapi.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\iscsiwmiv2_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CallButtons.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-PowerShell-Module-HyperV-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\schedprov.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\@VpnToastIcon.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MP4SDECD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\StorageNode.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\eventvwr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\jsproxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfcm100.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Compute-PowerShell-Module-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\MSFT_RoleResource.schema.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wcncsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\els.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\setup\cmmigr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircleHover.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBarTasks.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OWSHLP10.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Package.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Staging C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-54_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\DecoderAppService.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_WorriedEye.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_dark.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_listview_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\identity_proxy\win11\identity_helper.Sparse.Stable.msix.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msix.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.DispatchProxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\net44amd.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\TabletShell.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\StartMenu.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\BOOKOSB.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmmct.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netmlx5.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx45_IIS_schema_update.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\Microsoft.Windows.ApplicationServer.Applications.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\Microsoft.JScript.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regsql.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\aspnet_regsql.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\sbp2.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Diagnostics.StackTrace.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.NameResolution.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Data.Entity.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\system.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Runtime.Caching.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\wvid.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Messaging.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\it\DropSqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\mscorrc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Printing2.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\DataCollection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SKB\LanguageModels\lm.es-grammar.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Memory Cache 4.0\0C0A\netmemorycache_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\pcmcia.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_ecc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\icon.ico C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMdiagnostics.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\ja-JP\Report.System.Common.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmcommu.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1041\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Workflow.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Activities.DurableInstancing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ShFusRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Data.OracleClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\DataCollection.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\FileSys.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\nca.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\EarlyLaunchAM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0410\msdasc.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Web.Abstractions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\de-DE\Report.System.Memory.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\DCOM.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\kdc.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.ServiceProcess.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.RunTime.Serialization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_10.0.0.0__31bf3856ad364e35\NAPCRYPT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDCommon\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDCommon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_d5b972f131d079f2e16fa7301326e428_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
GB 95.101.143.185:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 91637c6e902520f6a47a829d994b3958
SHA1 e0b296aacd47ea75df1ab79a6fbb733b1cc3e803
SHA256 e459615e223504ec50ef7b06a286239314253c5e3e62e8c29d145174b51d239a
SHA512 a0d27bc1d4d470ef5daba14117bf3d0c1c152096a3d0b23f2ec4f9bc0d90b90e1353a041bc52aae25bad343c2c58b6fb2f6292daf1e0103b2ab0996747d9a9d3

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 0459ae2ec18a8c3ab8b11d3d0f55a693
SHA1 33f33920bf14092faa0d3e109130774e02ba15cf
SHA256 18ce0b5bc32b4123bd7745b7eb7ac74a812285072a156079b72e2201f1154f2c
SHA512 2616161c4778146bdbddb70c3baa19ca94f9847e38553b04e04c37102ec8000521110239e28bc2d18eaa074ca63792c3e3479327f498c134c6b6d58a9d5e54c0