Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-thlstsyjt4
Target 2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 bf70c00fb12aabed9ff74774348312b5e1a4228bddabf8ecbdefaf6a8ea40638
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf70c00fb12aabed9ff74774348312b5e1a4228bddabf8ecbdefaf6a8ea40638

Threat Level: Known bad

The file 2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Manipulates Digital Signatures

Drops file in Drivers directory

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 16:03

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 16:03

Reported

2025-05-03 16:06

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wbem\p2p-mesh.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-MFPMP-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\DiagnosticsHub.DataWarehouse.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}1034.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\raschap.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\wcncsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\dimsjob.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\C_G18030.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WSManHTTPConfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.Types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\cmmon32.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\netdiagfx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\p2p-mesh.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech\Engines\TTS\MSTTSEngine.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Networking.HostName.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\MSFT_DAConnectionStatus.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\LockAppBroker.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\regedit.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc110.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dxgi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\hr-HR\windows.ui.xaml.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINASA.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\p2pnetsh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\findnetprinters.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\msdrm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\PolicMan.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\MsNetImPlatform.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SMB-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~en-US~10.0.19041.906.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TapiMigPlugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\Wisp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Enterprise-Desktop-Shared-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SystemSupportInfo.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\chartv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mapistub.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dsui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\fr-FR\MSFT_ScriptResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cryptdll.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\localsec.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ir50_qcxoriginal.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\rdvgogl32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\migration\imjpmig.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\mswmdm.mof C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDARMW.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\de-DE\ArchiveProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\ja-JP\MSFT_LogResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\imapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\@WindowsUpdateToastIcon.contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-IDE-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-PowerShell-Module-HyperV-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Legacy-Components-OC-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\iepeers.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msls31.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RemoveDeviceContextHandler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\cs.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\loc.archive C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.49\msedgeupdateres_ga.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\View3DConfig.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Snooze.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\pt-PT.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.NameResolution.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ServiceModel.Security.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\da.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Internet Explorer\uk-UA\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.Imaging.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GlassVertexShader.cso C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\c_scsiadapter.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_usbdevice.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\XamlBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Luna\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Luna.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\CEIPEnable.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ShFusRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.ServiceMoniker40\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.ServiceMoniker40.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\FileServerVSSProvider.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\NUSData\M1041Sayaka.tbtdirection.WVE C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\cambriaz.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\Devices.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es-ES\PresentationHost_v0400.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.ServiceModel.Web.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\TPM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_scmdisk.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\FileTrackerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Web.DynamicData.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit\v4.0_10.0.0.0__31bf3856ad364e35\NAPINIT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\Microsoft.CSharp.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET CLR Networking 4.0.0.0\0C0A\_Networkingperfcounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Data Provider for SqlServer\0407\_dataperfcounters_shared12_neutral_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ServiceModelOperation 3.0.0.0\040C\_ServiceModelOperationPerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\vca.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.reg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.Net.Http.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Provisioning\Packages\Power.Settings.Button.ppkg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\da-DK\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\pt-BR\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\EZWap.browser C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.DataVisualization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ComponentModel.DataAnnotations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.DirectoryServices.AccountManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\AppxPackageManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0C0A\msorcl32.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\cpu.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\Microsoft.VisualBasic.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\InetRes.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\acpipmi.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\battery.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\de\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ICELAND.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Alarm02.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\WindowsAnytimeUpgrade.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ndisimplatformmp.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft.WinFx.targets C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\wait_im.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\YuGothL.ttc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_multifunction.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ndisimplatform.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\aspnetmmcext.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.ComponentModel.Composition.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\webAdmin.master C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\fr-FR\FrFR.Computer.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7z.dll

MD5 664294b75c9c35ca878741cc75b1dc07
SHA1 e510571a3e4738ea1be029e42ec8b11164f0ba47
SHA256 3df21cad683ea9b6074ab4bd83a33d09bcfb83b344a7005effa3e282c2d955c2
SHA512 9cdcbc4a58e6e031538c92b0eff3160dced67754d71602d9eed1f93f5eb91eb9d87eedb68b84ffeb25d6d183ed3bd342bf4e43e3719ec643fd8eaacad0155c6e

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 1a1fb17cab6560b9800db8152e7c7d0e
SHA1 ca3fc33c7050e0d43274a1c6b00f7143a28c1fa1
SHA256 ee9ad44ced711fa491e1f1a1418fa2bbf1ba75169f938e0d094d5d65c35f75b9
SHA512 e836adde0645621f7a120de83196615da85f68ca4007ac4ea4364c8d8de1b4a0c5b64da70aad6fa76da7b79fe57960d08c813ecd9bd647153e8d3111435b890c

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 16:03

Reported

2025-05-03 16:06

Platform

win11-20250502-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\de-DE\OSProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetIPAddress.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\msorc32r.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\pl-PL\APHostRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\RacWmiProv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\ja\Microsoft.AppV.AppVClientPowerShell.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\d3d10level9.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringansi-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\Windows.System.Profile.HardwareId.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\migration\shmig.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppResolver.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Identity-Foundation-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\it-IT\MSFT_WaitForAll.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\joy.cpl.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.120.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\de-DE\OSProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Speech\Engines\SR\es-ES\srloc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\raschap.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_3_for_KB5006755~31bf3856ad364e35~amd64~~22000.280.1.0.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMEPADSM.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\winver.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_590ceecfe41b872c\mdmnttd2.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\vca.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\Windows.ApplicationModel.Store.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-CA\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\nb-NO\SyncRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\mshta.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ChxAPDS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wiaacmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\LocationFrameworkInternalPS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\WinMetadata\Windows.Foundation.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PortableWorkspaces-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\STEXSTOR.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\SettingsHandlers_AnalogShell.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\de-DE\VhdProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmoto1.inf_amd64_2ec03742a46ceb43\mdmmoto1.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TileDataRepository.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\wextract.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Connectivity-NFC-Drivers-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-UPnP-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\c_proximity.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Desktop-Shared-Drivers-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-LPDPrintService-Opt-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fdc.inf_amd64_615550dcfd2447f3\c_fdc.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\MessagingService.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Full-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WebService-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-Security-MPSSVC-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Opt-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\KBDUSX.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\de-DE\WindowsPackageCab.Strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-RemoteClient-Setup-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\wmbclass_wmc_union.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\wvpci.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\ExtendedPicker.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib\version.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Sticky.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\selection\Selection.types.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\or.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupShowAll.base.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\nn.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WeatherBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpStoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardActions.types.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Button.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\wwwroot\app.appx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.113.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_forward_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\el.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_kn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Images\genericfile.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardPreview.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\GetHelpStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Tentative.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\StoreLogo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\mdmgcs.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\Microsoft.Activities.Build.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Serialization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\StartMenu.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\FramePanes.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033Eva.TON C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\DiagTrack\Settings\windows.uif_ondemand.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\msgpiowin32.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\LAN_profile_v1.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.WinFx.targets C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Serialization.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web_minimaltrust.config.default C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\vgas874.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CLR.mof.uninstall C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\dv_aspnetmmc.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\EZWap.browser C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de\Microsoft.Transactions.Bridge.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_base_non_fips.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Restore.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\Microsoft.VisualBasic.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Reliability.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SKB\LanguageModels\lm.en-001.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsLexicons0009.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\de-DE\Report.System.Diagnostics.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\MobilePCMobilityCenter.admx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0411\msorcl32.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\goAmerica.browser C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.xml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\NetworkConnections.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PushToInstall.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\MDM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallRoles.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_minimaltrust.config C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\es\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.FileSystem.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.Activities.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Contracts\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Contracts.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizard.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\system.dynamic.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.Dynamic.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\MobilePCMobilityCenter.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\DeviceSetup.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Resources\Themes\aero\fr-FR\aero.msstyles.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\Misc\PCAT\bootspaces.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.ApplicationServices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsInkWorkspace.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Display.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\ServerManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\cryptocme.sig C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7z.dll

MD5 97adb780597f00e8533ae587e236ccfb
SHA1 060c0648cd83e9279c2812ba553223750122925e
SHA256 1eec8d9ba6a32c2431e731ae077010631ea8d4ae7571e0b4c62524b2c3d295fd
SHA512 53fc0538b3ba86c7b983326f080d8ef15c4a228a059316b0ecd721f48fbcad730b6c06dfa19a982075a50505e3612fe3a7e2f31588b8b1180fbd09fd31daaee5

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 8f402ef863d0fbc39d18f403fad36966
SHA1 6b79596b548939279fcaa4f31b7c15402a8eb4e4
SHA256 a5f3cc9bda30576f6c67efe05d4bc8f255c8d2b28cb063760c969b37d61b7399
SHA512 ca5db35e683e7fe070d905ba1bd961ca8e3e129734cc4568829d7ea7f38d8d174524d57bb28e3d30876bb47a99fde2d816948148a150b2b846ab91a5e2477fe9

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 dc818ecf12f4101a0a91cde7884d619c
SHA1 4c8aff6a919ec51ec8970c225d4b26298a69eda2
SHA256 50831d6e05c7d633a7d96753e75875275c21f75834d2732fccb2fcaa056a8234
SHA512 9204eec9e33f99e3d171469a41ed285ad6816f21adc58d3d7faffdc0a715f95f014ee4bf09bd9f669c48ad4338bbc60e25d6fee497d0bb7274439f90beb3d5cb