Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-hdfkgahq2y
Target 2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 265e598e1b59b628a3022ab51d8dc602ae40f153c2d25605d2c55da67bcc0a09
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

265e598e1b59b628a3022ab51d8dc602ae40f153c2d25605d2c55da67bcc0a09

Threat Level: Known bad

The file 2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Renames multiple (52) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 06:37

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 06:37

Reported

2025-05-15 06:39

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetIpHTTPsConfiguration.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\DavSyncProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\wuapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\itss.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DesktopShellAppStateContract.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AboveLockAppHost.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Foundation-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-RemoteFS-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Internet-Browser-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\searchfolder.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\cic.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-RemoteFX-clientVM-RemoteFXWDDMDriver-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AuthExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IntegrationComponents-VirtualDevice-Server-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package04~31bf3856ad364e35~amd64~~10.0.19041.1151.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rasdlg.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\sk-SK\windows.ui.xaml.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\FolderRedirectionWMIProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\netnccim.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-VirtualDevice-Synthetic-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\twext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\gpapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\mshtmler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\scrnsave.scr.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\mispace_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-VirtualizationBasedSecurity-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\ja-JP\MsiProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Kswdmcap.ax C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package00~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Remotefx-Clientvm-Rdvgwddmdx11-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Opt-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Storage.Compression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\wshext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\tapiui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\setup\pbkmigr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-6-ul-store-rtm.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HypervisorPlatform-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDGR.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Devices.SmartCards.Phone.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\pshed.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\msftedit.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\@AppHelpToast.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\appmgmts.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\serwvdrv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\PrintManagementProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Browser-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_es-419.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzdb.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\plugin.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_02.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\ReadMeasure.cfg C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\MessagesXboxLogo.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation_Light.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ProjectedApi.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinGrid.v8.1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ServiceModel.Http.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Text.Encoding.CodePages.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\organize.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\desktop_acrobat_logo.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Drawing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdm3com.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\wide.Lock.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.DynamicData.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\fr\Tracking_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1041\CvtResUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Drawing.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Activities.Core.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Activities.DurableInstancing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.DirectoryServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\DeviceGuard.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\TabletPCInputPanel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0407\perfh.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\wide.System.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Configuration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Web.Mobile.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\Microsoft.Management.Infrastructure.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\microsoft.tpm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\pt-BR\memtest.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.RunTime.Serialization.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.RunTime.Serialization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\en-US\Rules.System.Performance.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\StorageHealth.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\ExternalBoot.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\ReAgent.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\peverify.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Panther\setuperr.log C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\IIS.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\WinCal.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PrintDialog\Assets\splashscreen.contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033Mark.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\taileb.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0410\_ServiceModelEndpointPerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\wdma_usb.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\PasswordValueTextBox.cs C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1036\Microsoft.VisualBasic.Activities.CompilerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\s8514oem.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\remoteposdrv.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ja\System.Printing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Web.Mobile.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.ServiceProcess.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\FileTrackerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-black_scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_facdf5de2cbbe2835db068ef88740209_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 4c8fe259bfb8de9c0f84c8120c513182
SHA1 dc2959ac343729316b07a868011451324bda1cbc
SHA256 d114819f0283c4a54079683d7b6cef987782f45f70ea27c9ca766eac5bbca817
SHA512 50ffb679f3a9a0b968afd8908ced72b67ac1ba1268effc6f45d033a706c6a1a83c905fb5483c27936462fd5412e29a781101cba90d52db16a0f75bfc9acee395

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 1ee63b0ae76bf3e6db8e6ede56e8a9c7
SHA1 786758836e0e178266fb50edd37e19940ab17ff4
SHA256 3de4a924edaa6d326ccfcaefb92c90dbce082b9ecc38236f35faed2c014d452e
SHA512 969ad63ddbe8efd6c8942de67f868f4cb009638ca05c608f2950b2b568f01afa9bf9b538251f5e22db0ad9bdb70bc806cb86c75be58e984f9f0a253b0cc33cb2

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 a3d41e11a3cc48eeea9678f3928a9f41
SHA1 0d2cb14564df4fd9296bf7e32719c41b9bb7f8e3
SHA256 06cc40a730fb27a90aab46aa5d3e441eca9b6858428b68fab70b1d779ac0f78f
SHA512 da24407a42e3c2501826b9ac0a5c8727a462e70ae015e2dfa8c149412a6a9ea1af9f453b86bdbdf314e7c25a6e12597e24942035cbbf54706b0617fd3787d87c