Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-jk9ybs1qt7
Target 2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 b483a3149d98dc85a6bb102b1b7d77531a256cc92b811e8ee7aca50c99fe3d09
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b483a3149d98dc85a6bb102b1b7d77531a256cc92b811e8ee7aca50c99fe3d09

Threat Level: Known bad

The file 2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (51) files with added filename extension

Manipulates Digital Signatures

Drops file in Drivers directory

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:44

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:44

Reported

2025-05-15 07:47

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinMetadata\Windows.Security.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterBinding.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrintJob.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\F12Platform2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RacEngn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\ja-JP\MSFT_WaitForSome.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\PSDesiredStateConfiguration.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MapConfiguration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsCodecs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_Net6to4Configuration.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\es-ES\MSFT_GroupResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\it-IT\MSFT_RegistryResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\es-ES\MSFT_ScriptResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CheckNetIsolation.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SettingSyncHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Security.Integrity.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterProperty.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\LogProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PCShellCommonProxyStub.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Globalization.PhoneNumberFormatting.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Networking.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\DnsCmdlets.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\it-IT\ArchiveResources.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\es-ES\MSFT_EnvironmentResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ApiSetHost.AppExecutionAlias.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDBR.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SrpUxNativeSnapIn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja\Microsoft.Dtc.PowerShell.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDOGHAM.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TapiSysprep.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.ApplicationModel.Background.TimeBroker.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\es-ES\DmiProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\FXSCOMEX.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDSL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PrintWorkflowService.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\VES-Select.0409.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\fr-FR\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Unistore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetTCPConnection.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCHPS.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\en-US\MSFT_FileDirectoryConfiguration.Registration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDLT1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TpmCoreProvisioning.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WPDShServiceObj.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Energy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDGAE.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MsraLegacy.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Utilman.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NapiNSP.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Nui\FaceAnalysisColor.mdl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RADCUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Gaming.Preview.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\uk-UA\MSFT_GroupResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsOptionalFeatureSet\WindowsOptionalFeatureSet.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0006\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\BitLocker.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetIpHTTPsState.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\TransparentAdvertisers C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\avatar_default_large.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wns_push_client.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sr-Latn-RS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileWide.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\release C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\mrt_map.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Metadata.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\wvmgid.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\avantgo.browser C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\WsatConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Management.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\MicrosoftEdge.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\85f1255.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ks.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\blackberry.browser C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.IdentityModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\Microsoft.VisualBasic.Compatibility.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Explorer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_keyboard.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Claims\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Claims.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\msched.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netax88179_178a.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\shfusion.chm C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\GlobalUserInterface.CompositeFont C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.IdentityModel.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\v4.0_2.0.0.0_ja_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Speech.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\SqlPersistenceService_Schema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\normnfkc.nlp C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Printing2.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\M1033Eva.voiceAssistant.WVE C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\flourish.mid C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.IdentityModel.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\de\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Windows.Forms.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.ServiceModel.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_compiler.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\TextInput.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Resources\Themes\aero\it-IT\aero.msstyles.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\TabletPCInputPanel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-976DB280.pf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\zh-CN\memtest.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\audioendpoint.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\input.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Web.Abstractions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\DiskQuota.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\calibril.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmnttd6.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\microsoft_bluetooth_a2dp.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\secrecs.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
FR 2.18.40.152:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7z.dll

MD5 2a694c16a9f0795295831379543e0154
SHA1 cc3dc6c88b8d0758049adbd6356e0d33ad524d68
SHA256 393aaafeb5c1453cc3decf4dfe8705b3aef2d37930406349c48f0a4af7593f2a
SHA512 5b5b74f21d6096b35ec3582f33e2cbfbae47bfb73f007033873325362bfba3b24b9ace620d7943956f1a44b8d4a842cc5db6cf26f317cd01944d726bc01dfa59

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 a8d93764571aa77d035fc43b22518eec
SHA1 05c0ef8eb1b93a7b3a4e436c11d623f05a05743f
SHA256 d21a77b340bafa2955215828d2cdca0f403488f45c73765de36527dfc2e5288a
SHA512 2a26774b831cb183f8497e5d1df93ed6fadd2ee363b063405069beb3701e1601fce42b8c86980989b674d1565eea19ebf7af2613279fd1d5fd76268134fc4f68

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 c70ad79b7ce60e25d0c5c75d9b141d6b
SHA1 e1edb1f9a3c33634c552499f16e4e82f30387bbc
SHA256 4b58c30f721db0548de93247c27bc63fa12624804d3eb97de337b9853c70963e
SHA512 dd67a1c844c7ba84284c06752bca565c6e11cfb151bf655b7683e56d843d86391569c2beeb97962ff54a6570cbd26e6c9e5570f77ff6805b1463eeecaeb2b62b

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 07:44

Reported

2025-05-15 07:47

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (51) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3588213599-686740421-4058676312-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ContactApis.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InputInjectionBroker.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\provcmdlets.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wlanapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dmxmlhelputils.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\StorageContextHandler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ConfigureExpandedStorage.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\pots.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMELM.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\WWAHost.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\WinSATAPI.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\objsel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rasman.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\texttable.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\EhStorAPI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PrintPlatformConfig.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\PackageProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedClass.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\poqexec.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\UserStateWMIProvider.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\wsp_fs_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msimtf.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\srmtrace.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\winhttp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wshom.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_IS2022.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Chipset-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCAC.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ProcessSet\ProcessSet.Schema.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\shwebsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\netdacim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\zh-CN\SyncRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\VES-Select.0409.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\shellstyle.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\p2p.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\p2pnetsh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ksuser.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0011\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\SortWindows6Compat.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\MSFT_PackageResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\DeviceDisplayStatusManager.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iscsicpl.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\iernonce.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinMetadata\Windows.Management.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\en-US\RunAsHelper.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\agentactivationruntimestarter.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\mscpxl32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iertutil.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\ntdll.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\tcmsetup.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\winbio.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\fr-FR\MSFT_ProcessResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\azroleui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\FolderRedirectionWMIProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\C_ISCII.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\it-IT\MSFT_LogResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\tapisrv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\MSFT_DnsClientDohServerAddress.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\gpapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.29231.0_x64__8wekyb3d8bbwe\mfc140rus.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ca.pak C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FeedbackHubSplashScreen.scale-100_altform-colorful.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-default_32.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PowerShell.PackageManagement.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare71x71Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSquare70x70Logo.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppCS\Assets\OneDrive_consumer_systray_block_light.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\mdmzyp.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\ringout.wav C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.IdentityModel.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\iastorv.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmmhzel.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\en-US\Rules.System.Finale.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WindowsMediaPlayer.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\appv.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\StorageSense.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\net7500-x64-n650f.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\1040\admin.chm C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.NetworkInformation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild\Microsoft.Build.Core.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.IdentityModel.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.resources\v4.0_10.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.Runtime.Caching.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\de-DE\Report.System.Summary.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0410\mmc.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.Thread.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardFinish.ascx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Drawing.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Globalization.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ServiceModelOperation 3.0.0.0\0410\_ServiceModelOperationPerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\ExploitGuard.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\calibri.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\sylfaen.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0000\PerfCounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1031\vbc7ui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Web.Mobile.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.WinFX.targets C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\040C\perfc.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\957c.msi C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.DurableInstancing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\Microsoft.VisualBasic.Activities.CompilerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Routing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.ServiceModel.Activation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.Design.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\System.Web.DynamicData.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ComponentModel.Composition.Registration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\EventLog.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\fthsvc.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\WWAN_profile_v6.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.EnterpriseServices.Wrapper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_f3ed9cd9921dfa3797fdd934bd8ac588_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 cf6708cb247db374c572b02f48db93cd
SHA1 00681fe624f0feee1f309b557a15b38b36a03f0c
SHA256 f8226c6c6c18a8643582dc787a447765d9a2054b4646ddeda225822c35cf2ece
SHA512 40626de8b09b7189f48e3697145816b5dc2e488628c4d3d27d0df0235d2c9af69c3d1ca3333f506b879295d76ebb4721fc72b0675cd249816b9cc9c51af7854a

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 2767954b4cb01d918a6bea64ab931a34
SHA1 4a3da83d2bb5d29bd34661d7baaeefb22a7b24e8
SHA256 98d246e06a19c7563e5296aa94cc9764f7af57fbf58245fea6704aafae8aa308
SHA512 f0a23d1c3180f39bbb0bfae7f34fab39eac9fa7de7860d8d54c7e3ce32bc81fd4a61e300b237cdcb84189bacfe0421c72e6ae5632fb1f7830ed1139aa0d83ae6

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 1ee751b39cf11e07eec58dffd4b4a442
SHA1 f1c44fff097aa08ed7991ed3bc3f50b9f4d00367
SHA256 c024242a7837765240e8314adca606609176549a811d888f97cda56503067b24
SHA512 0cdd9d52d8744a078bc785e00345545e6451d4d1b9a6a77aae2f175e012fe1339e075529445e3201cca1b92669fd23fc42e3ca56607f4f3624f083639cf2e9e5