Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-tlxz9sfk7s
Target 2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch
SHA256 bf70c00fb12aabed9ff74774348312b5e1a4228bddabf8ecbdefaf6a8ea40638
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf70c00fb12aabed9ff74774348312b5e1a4228bddabf8ecbdefaf6a8ea40638

Threat Level: Known bad

The file 2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Drops file in Drivers directory

Manipulates Digital Signatures

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

Drops startup file

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 16:09

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 16:09

Reported

2025-05-03 16:11

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ServiceSet\ServiceSet.Schema.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\perfmon.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Configuration\BaseRegistration\it-IT\MSFT_DSCMetaConfiguration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Get-DscConfigurationStatus.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_28599.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSMinusHeadless-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\cmbatt.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\eappgnui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\adsnt.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HvSocket-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\lltdio.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinMetadata\Windows.Devices.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\wininit.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-security-base-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\cli.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\csv.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\write.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VID-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsExt-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\sisraid2.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\BOOTVID.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\IoTAssignedAccessLockFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\LicenseManagerSvc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_glk.inf_amd64_7b6c08738ca8a856\iaLPSS2i_I2C_GLK.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja\Microsoft.Dtc.PowerShell.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\PlayToStatusProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\els.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wmidx.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx4-US-OC-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Notepad-FoD-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-runtime-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\netrasa.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\netrtl64.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mrt100.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\NdisImPlatform.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\APHostClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\authfwgp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DeviceDirectoryClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_9f3f831d13d3df1f\circlass.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A_TP203NA.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\rpcping.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Deprecation-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_9.bin C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\AMDGPIO2.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\intelpep.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\wvmic_kvpexchange.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\mmcshext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\PeerDistSh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\taskkill.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_0abeab1ee6572232\amdk8.sys C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\netrtwlans.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.tbr C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\windows.ui.xaml.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\oobe\SetupCleanupTask.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Timer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ro.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\hi.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_wer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ml.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\EmailAction-AdaptiveCard.json C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\kn.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\kok.pak C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStoreTasksWrapper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\custom.lua C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\prefs_enclave_x64.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.UnmanagedMemoryStream.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\aspnetmmcext.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\System.Workflow.Runtime.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\arrow.svg C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\vga861.fon C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\acpi.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\pci.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\WLAN_profile_v1.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\ShFusRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallPersistSqlState.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Workflow.ComponentModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reflow.api_NON_OPT C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Shutdown.wav C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\EncryptFilesonMove.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\fr-FR\NUSData\M1036Nathalie.tbtdirection.wve C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Web.Extensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.ServiceModel.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\ActiveXInstallService.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\FileServerVSSProvider.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\PreviousVersions.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\srm-fci.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\MovePrevious_48000Hz.raw C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.IO.Log.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\SMDiagnostics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Web.ApplicationServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\en-US\Report.System.Memory.xml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\EdgeUI.adml C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\it-IT\NUSData\M1040Cosimo.keyboard.RAD C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size4_l.cur C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\WFD_LEGACY_profile_v1.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.IO.Log.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\SMSvcHost 4.0.0.0\0410\_SMSvcHostPerfCounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmzoom.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\cbde.msi C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\SqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Activities.Presentation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.EnterpriseServices.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\wsearchidxpi\idxcntrs.h C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.default C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\XsdBuildTask.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\aspnet.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\Microsoft.CSharp.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0410\cliconf.chm C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities.Resources\v4.0_3.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.Activities.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationUI.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.IO.Compression.FileSystem.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_69b3b3182dced676212aa210c6d1b788_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7z.dll

MD5 46a54192443cf738ec82bb1423d6e201
SHA1 dd427ac5aa578c7e0fd4acba2f65655bcd0a39d3
SHA256 845be97b3e4200b4124b92d7cbef87f2237fdfde2a48800578ccacfc7bed460f
SHA512 89756bee440d0e35bfcc111c43402f9cd55560dc27237637db88adb8998aec5726399c6049cf4934c705d228018e16e62ea5206d22c32379392439947f7273e2

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 d02e29ef8284ae54eef790922bb09619
SHA1 e9179a49fc23b8b0eae2f12d48f9b61d62ae87b7
SHA256 d54c8330a013d3b8cad6008c8b646b6e9edf10b62e42ffc5eaf474c9629c2f9e
SHA512 bb293855e6b1f8b945475fee955e8dddeaa869ec6e426917f31efedb96f7a0138e45c3702edd3a7bd5c987a32fb52cba3e9779e37921db2c8ec709d4e6000674

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 cc4f23eaa2c26e8bf39ac1193436ddd4
SHA1 ce18e5bcc7ee0cf0c998aaeb8e78c9f5b55bb049
SHA256 3806ff20a8bac74962437a0815a6a38168ebd68fcbca34505f2da1485b54c4af
SHA512 eea6612ca057220261f7c44fa9701c3a0065a97d5d9b4a22e3031a6b96a223aa27619c918a4bbc588a963fcee8d53e3791d8be50e083fda5a51815fda88b1dd6