Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-jnbvpsbm5x
Target 2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 7077ddac62ea1edf3085aa90c7b02d5f5f954dd5b80c9320d50f982c0f266434
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7077ddac62ea1edf3085aa90c7b02d5f5f954dd5b80c9320d50f982c0f266434

Threat Level: Known bad

The file 2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (51) files with added filename extension

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

Drops startup file

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:48

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:48

Reported

2025-05-15 07:51

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (51) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\AdvancedInstallers\cmiv2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\comadmin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\de-DE\MigRegDB.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\ja-JP\comrepl.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\fr-FR\MSFT_FileDirectoryConfiguration.Registration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\uk-UA\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BrowserSettingSync.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CameraSettingsUIHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CloudExperienceHostUser.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AdmTmpl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppointmentActivation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CoreMas.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AUDIOKSE.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\en-US\MigRegDB.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\it-IT\MigRegDB.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\MSFT_DSCMetaConfiguration.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\it-IT\BaseResource.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CoreMmRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppVSentinel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppxAllUserStore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppxApplicabilityEngine.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AuditNativeSnapIn.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CertEnroll.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Chakrathunk.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\en-US\comrepl.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AcXtrnal.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AdaptiveCards.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AzSqlExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AzureSettingSyncProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CIWmi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CameraCaptureUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ActionCenter.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ClipboardServer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\uk-UA\MSFT_DSCMetaConfiguration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\es-ES\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BTAGService.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BitLockerCsp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CheckNetIsolation.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\fr-FR\MigRegDB.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\en-US\BaseResource.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\ja-JP\MSFT_DSCMetaConfiguration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\it-IT\MSFT_FileDirectoryConfiguration.Registration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\it-IT\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\12520850.cpx C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AcLayers.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ActivationClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AppxProvisioning.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AssignedAccessRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\C_ISCII.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\de-DE\MSFT_DSCMetaConfiguration.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\en-US\MSFT_MetaConfigurationExtensionClasses.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AboveLockAppHost.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BthTelemetry.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\BaseResource.Schema.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\MSFT_FileDirectoryConfiguration.Schema.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ConfigureExpandedStorage.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ContactActivation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ContentDeliveryManager.Utilities.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CoreMessaging.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\@AudioToastIcon.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ActiveSyncProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\BWContextHandler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CallButtons.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\fr-FR\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_40x40x32.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Web.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\initial_preferences C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDRES.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\91.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\LICENSE C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-180.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-96.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INF C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PolicyDefinitions\it-IT\EncryptFilesonMove.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SKB\LanguageModels\lm.fr-1990.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\migration.dat.LOG2 C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DVA.api C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\fr\EdmGen.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\InkWatson.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\W32Time.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\de-DE\M1031Hedda.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmmct.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.NetworkInformation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\MSDT.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\move_rm.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Resources\Themes\aero\uk-UA\aerolite.msstyles.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\System.ServiceModel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\XamlBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.RunTime.Serialization.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.RunTime.Serialization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\iSCSI.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\msched.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationTypes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\Rules.System.CPU.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\TermService\0407\tslabels.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\swenum.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Alarm01.wav C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Web.Extensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\CEIPEnable.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\DiagTrack\Settings\windows.uif_ondemand.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\de\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Thread.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Data.DataSetExtensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation.Resources\v4.0_3.0.0.0_ja_31bf3856ad364e35\System.Management.Automation.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\cambriab.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\AutoPlay.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SKB\LanguageModels\lm.es.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Setup\State\State.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033Zira.BEP C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\M1041Ichiro.BR2 C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Security.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\ControlPanelDisplay.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\fr-CA\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\person_il.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmmega.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\InputMethod\CHS\ChsPinyin.lex C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\mscoreeis.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\ServiceModelEvents.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\CredSsp.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\es-MX\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_72b0ab083a5365b77c915d60c0acb01f_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
IE 23.216.155.168:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7z.dll

MD5 cb27128ce88cf0080b558c0bdac00c72
SHA1 76292e6308949015a4320a72d5c2aa1bf8667084
SHA256 2c28fd132b8e52b228808877585bd2a4013c7d5b75aa5c98f21743570542d5ce
SHA512 586736c2e50ac7776c4ef8212a9629ffaa4d831389d37296b3be832d0b05fc0dabedba51c62699381dac9c18f15218865be9f46e3bb7e512712b2a0ef038b38e

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 60ec6616213f10323594d6a54d9e3e7a
SHA1 bee8a422d0bf267fd8f200d10c39b48573b17525
SHA256 4a720a16ba9a18873721be370c06809c3e5ecf90b401b12a7e29440fa78c70d6
SHA512 8b126c4585f896bc0d89063822e85afcf4aa5e7a1621920c5953b3bfba251b0e89692260298e314155040450790c8061fd00540e039fa98e96d92f802a19e76e