Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-jlrs5stvcz
Target 2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 82be4a55e0a3645b631ed0600a970486dbb626478fabfb40c5a280a8d721d5e0
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82be4a55e0a3645b631ed0600a970486dbb626478fabfb40c5a280a8d721d5e0

Threat Level: Known bad

The file 2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Reads user/profile data of web browsers

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Drops startup file

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:45

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:45

Reported

2025-05-15 07:48

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wbem\it-IT\netttcim.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WsmAgent.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\iertutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-KernelInt-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\webcheck.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\vdswmi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_1140.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\ProvProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\PrintManagementProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ActionCenter.dll_BUP C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\el-GR\SyncRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AdaptiveCards.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Boot\it-IT\winload.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20000.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDTURME.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\it-IT\TestDtc.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\APHostRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CallButtons.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCacheStatus.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iscsicpl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\hidphone.tsp.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Guest-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfsvr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\setup\cmmigr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\twinui.appcore.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\regevent.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\uk-UA\MSFT_MetaConfigurationExtensionClasses.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\en-US\ArchiveProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20905.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MapControlStringsRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\MSFT_ArchiveResource.schema.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\softkbd.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\BCP47mrm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0416\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\ntdll.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IntegrationComponents-VirtualDevice-Server-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\MSFT_UserResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\apphelp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\msfeedsbs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\wscenter.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\l2gpstore.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\winmsipc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_1258.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de\AuthFWSnapIn.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\MSFT_NetNatStaticMapping.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\cic.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\dot3gpui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msvcp100.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\negoexts.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\slc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\nlmcim.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\en-US\MigRegDB.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\dot3gpui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\BdeUISrv.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KMCL-Host-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\InstallService.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\wcnwiz.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-light.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\DemoNotebook.onepkg C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\dismiss.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.model C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ur.pak C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\msquic.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\IMEJP\help\IMJPPD.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\adonetdiag.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorlib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\SMSvcHost.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\fr-FR\Rules.System.Wireless.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Winsrv.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\fr-FR\M1036Nathalie.tdat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\busy_rl.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\CustomMarshalers.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\WinInit.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\UGTHRSVC\0409\gthrctr.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netr7364.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\SystemSettings.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr-FR\ServiceModelInstallRC.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\PerfCounter.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\es\SqlWorkflowInstanceStoreLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\ja\SqlPersistenceService_Schema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Web.Mobile.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\MSDTC Bridge 3.0.0.0\0410\_TransactionBridgePerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Drawing.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.ServiceModel.Discovery.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsec.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ja\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Activities.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normnfd.nlp C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.resources\v4.0_10.0.0.0_it_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\ssee1257.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NETFramework\0411\corperfmonsymbols_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it\UIAutomationClientsideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it-IT\PresentationHost_v0400.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\Report.System.Disk.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\M1033Zira.keyboard.WIH C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\ega80737.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorie.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\es\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WindowsConnectNow.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\MDM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Bits.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.Build.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\DeviceCredential.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\AppPrivacy.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\PerformancePerftrack.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\es-ES\.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Focus2_48000Hz.raw C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\ShFusRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Messaging.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\en-US\l1033.mllr C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System\Speech\synthesis-core.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\MOF\fr\ServiceModel35.mfl.uninstall C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.ServiceModel.Discovery.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\de-DE\SystemSettings.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\Microsoft.JScript.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.EnterpriseServices.Wrapper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.ServiceModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 04df9225305040148113dbdb12c3a25a
SHA1 3b2a0d01ebf1a508cf2c424d06cd9aedb321f68d
SHA256 9b38109a9ca0d632f61d8a66587f3875b020790c037a4f78a17ee40674e17273
SHA512 6290b35382cbb3b2782bb4415c9222509dd9ae0f64272a8866b6e656bba1fb01d1a13a6cbe8998975cda20a6ed361da4349fb289ea659ad65ce08652d5039ab2

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 a48554be65da549ade07135c84d155d7
SHA1 258942c40f7b517ae5cbbf4bd7730304b0bffb18
SHA256 b4c9665a47924272919f224354bd01f85eda1d77ff379e07f5f09ffbaf230643
SHA512 91149c8741b359d2c6df38b3eaca95accb542aeae1f691c244d0211cde763f6ec3e272af07e5548b7cb586e55c7fe1560051e15c90c0eb32afe7a58ce1b62d68

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 07:45

Reported

2025-05-15 07:48

Platform

win11-20250508-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\slwga.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\12520850.cpx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDIBO.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\clfsw32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\da-DK\APHostRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\iertutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\mmcbase.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\raschap.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc110u.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\sndvol.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AuditPolicyGPInterop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-VirtualDevice-Synthetic-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeliveryOptimization-MI-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-IsolatedUserMode-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AdvancedEmojiDS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\PolicMan.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\nlmcim.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Server-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Virtio-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-WOW64-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\GameChatTranscription.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\basecsp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\gpscript.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\PlayToStatusProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\wimgapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\storagewmi_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package02~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\de-DE\MSFT_DSCMetaConfiguration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IEAdvpack.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mprmsg.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\zh-TW\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-DynamicMemory-VirtualDevice-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cmgrcspps.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\explorer.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CallButtons.ProxyStub.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BackgroundExecution-Group-Package~31bf3856ad364e35~amd64~~10.0.22000.120.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~ja-JP~11.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PerceptionDevice.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\wiminterop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ManagedDeveloperStructure.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\hidphone.tsp.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\MsDtcWmi.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0111~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-Package~31bf3856ad364e35~amd64~~10.0.22000.493.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\uk-UA\MSFT_ServiceResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\he-IL\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-Admin-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DiagnosticInvoker.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UserDataLanguageUtil.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UIRibbon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ktmw32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfmpeg2srcsnk.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-EmbeddedExp-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IMAPI-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebHeaderCollection.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\Square44x44Logo.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tpcps.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3687046934-3833731302-526866946-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\HoloTile.glb C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ar.pak C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Toggle.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\lo.pak C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardDetails.base.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare71x71Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\CortanaCommands.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardActions.styles.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\styled.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\PCAT\de-DE\memtest.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-white_scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Data.Linq.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Security.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\Search.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\M1033David.keyboard.WVE C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CROATIAN.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Serialization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.DirectoryServices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\Microsoft.VisualBasic.Compatibility.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\FolderRedirection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\DFS.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\MIGUIControls.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\lv-LV\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\cga80woa.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\SMDiagnostics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\ComSvcConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.VisualBasic.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\sysglobl.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\TPM.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\TabletPCInputPanel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140.dll_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\WWAN_profile_v3.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.DynamicData.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.InteropServices.WindowsRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Activities.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\Globalization.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\ja\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Focus3_48000Hz.raw C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\EdmGen.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Configuration.Install.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033Mark.APM C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\Resources\ja-JP\bootres.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\avantgo.browser C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\EventForwarding.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\WINGDNG2.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Data Provider for SqlServer\_dataperfcounters_shared12_neutral.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Speech Off.wav C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WinInit.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\GARABD.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\EdmGen.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\es-ES\Rules.System.Common.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmdyna.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.ServiceProcess.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\ro-RO\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_395c7f71f6117cd2506dab5d05f779ee_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 624df3e8a73d573f4aaec943378b8e52
SHA1 e20a416e449be87249a467b9b1752e36e56d4115
SHA256 fb308598e0d254e1e527033ccd2c4a9040f55cb9ae5a109caab38f94eac78ace
SHA512 25c42b5119789f99725a4f93e5282519f482553a20e17c1474124d730023128eae0f2dfbe408565c81cf118317c01f7c6bba35a07db97cd9da4d0416e6e1d2df

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 0a4584b717656166250fba90baca5ab7
SHA1 d4f89c55604a6e01c058d974f5ff837175cb2a04
SHA256 9a2803117533346b837eeef4bc969439b99f13f9dd0296d5254bb0de5ce9d7b6
SHA512 e9990480c1c738b7d6b7deab8a2ae62ae328ea3f5205b9cc027a397541d4f143b1f7d5192f0558f5619aaf56ff42bdb68757c45e039011cdbc3c549dd1d57eaf

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 692c330589587f23a3ed0aacc13e9b72
SHA1 856b83b68afe1459dac15a5728365bebcad62d07
SHA256 c999f69ac8ab227ed95fc4953f39729591942df148e0916803d32d17cefb770c
SHA512 0b68a3c9665a7faaac33d12ea967ca8474a5c6f071c33eb30c31b05ea6ca127503f7b973932e8e0f18b0db213f57e7b6f9553f2fe2f6717b03a81193b7dde6bd