Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-kdk63asjz2
Target 2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 1323ca39b30040cd5a030c35c14cbc8b5ae1115ad0185c4dc2ff8c3bafe69108
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1323ca39b30040cd5a030c35c14cbc8b5ae1115ad0185c4dc2ff8c3bafe69108

Threat Level: Known bad

The file 2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (55) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops Chrome extension

Drops desktop.ini file(s)

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 08:29

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 08:29

Reported

2025-05-15 08:31

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msrating.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\printui.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\sppc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\iscsiwmiv2.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PerceptionSimulation\VirtualDisplayManager.ProxyStubs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\Ninput.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\odbccu32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\sv-SE\comctl32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\cmutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Storage.Compression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iasdatastore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\DeviceDisplayStatusManager.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\ja-JP\UnattendProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NetSetupShim.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\de\Microsoft.AppV.AppVClientPowerShell.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dssec.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\DeviceDisplayStatusManager.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\pdh.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\ImagingProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\tapiui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\nslookup.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\inseng.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\it-IT\TransmogProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\StorageHealth.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\mmcbase.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en\AuthFWWizFwk.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\telephon.cpl.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wincredprovider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_Net6to4Configuration.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\FileIntegrity.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\PeerDist.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\quickassist.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\DevDispItemProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\hbaapi.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\msfeedsbs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\ProximityCommon.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wincorlib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\p2p.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\imapi2fs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\InstallService.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\mapi32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msiwer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\tvratings.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\es-ES\F12Platform2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\FXSAPI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetIPsecDospSetting.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\fixmapi.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\imapi2fs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDFR.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja-JP\TestDtc.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iasrecst.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\PhoneUtilRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\odbcji32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\jscript.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wshext.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dmdskres2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\uk-UA\F12Platform2.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\atmlib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\sppc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClientPSProvider.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\c_GSM7.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\TransparentAdvertisers.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\webviewCore.min.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Windows.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mspdf.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fa.pak C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ApplySticker.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Photos.Viewer.Plugins.Native.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_listview_18.svg C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\Explorer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netv1x64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8} C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\de\SqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Deployment.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\TextInput.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\Candaraz.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\InstallUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\Regasm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\aspnet_rc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Runtime.Remoting.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\GlobalMonospace.CompositeFont C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ChargeArbitration.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmusrgl.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Data.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\system.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Sockets.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\SettingSync.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\winsipolicy.p7b C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\zh-CN\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size1_il.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size2_il.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\coue1255.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_fsundelete.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Aero.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\en-US\en_US_word_c.lm1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\wvmgid.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\caspol.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Workflow.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Net.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\UserExperienceVirtualization.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\EventForwarding.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\acpi.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_perf.h C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\sbscmp20_mscorwks.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\MobilePCMobilityCenter.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0C0A\perfc.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IO.Compression.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WorkplaceJoin.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\de-DE\l1031.ngr C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\l3082.cw C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\ja-JP-N\lsr1041.lxa C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ipoib6x.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Numerics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.WorkflowServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.IdentityModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-858A19DE.pf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\es-ES\NUSData\M3082Pablo.keyboard.wve C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmusrk1.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\msjhl.ttc C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Speech Off.wav C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_GlobalResources\GlobalResources.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
GB 2.17.113.91:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 6ca3867f65dc7c5c79a036b5b8ef8018
SHA1 d84f29d1b884fdc4b11dda9fbcdc47a168fd553e
SHA256 2fa8b6974c2d0cb50d1628a606f2f8627ec9023d24a049c2dee3e0426869008f
SHA512 64249119e08e960a7b43aa64dc9d8d9310b2a31394440f2cf8aa1db828c0dd69d9659b9088053c87386f4c1b418079e20f9e3fbe554993c8e7c3aea7c1bdfde6

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 597779c34071d50efd17c1d3b8782d18
SHA1 492da44b6c4d826bdecc903b6669f59657735ee2
SHA256 a78d42338d7966cf67f5137dd848cfc32d155d8570016b3b5b557d8f2c019815
SHA512 0d04023676b9cc2a7704acba1b66aba77c0bf3e5e5785a9e5c9e5681331fd071ad751f8fe716da48eac1095a7f5efe865a4f3a504c58b5579e2f5d550fb6b87d

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 08:29

Reported

2025-05-15 08:31

Platform

win11-20250502-en

Max time kernel

150s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (55) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-2117256398-1057710415-2142084777-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\KBDCZ2.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.UI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\autoplay.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msrating.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\l2gpstore.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\it-IT\OSProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\F12Platform.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-core-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\ieui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mssvp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\uk-UA\MSFT_UserResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\msfeedsbs.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rtmpal.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PresentationHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Engines\SR\spsreng_onecore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cryptuiwizard.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\ir32_32original.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\vfwwdm32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\wbemcntl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.System.SystemManagement.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cs-CZ\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\dot3cfg.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\mimofcodec.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\lpk.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\npivwmi.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\netswitchteamcim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\npivwmi.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDMLT48.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration_v1.0.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\wlandlg.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVmqQueue.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\wmiutils.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\MSFT_EnvironmentResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dsrole.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\compmgmt.msc C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rasdial.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\regapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\storage.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\kbdgeooa.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\netfxperf.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0014\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\RemoveDeviceContextHandler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\CIWmi.mof C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\DevicePairingFolder.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iscsidsc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\msacm32.drv.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\jscript9.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Payments.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\BWContextHandler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\shellstyle.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\Wisp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\packager.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\netttcim.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDMLT47.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\office_16.bin C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\en-US\MSFT_LogResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\comres.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\dfshim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\cmcfg32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\perfts.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\iscsiprf.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosStoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\test\reactTestRenderer.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\StoreLogo.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.Settings.Editor.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-48_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraChart.v8.1.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\am.pak C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.29231.0_x64__8wekyb3d8bbwe\mfc140enu.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pencht.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\resources.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\DismountApprove.zip C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\Settings.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\FileWord32x32.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\fil.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\as.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubSplashScreen.scale-125_altform-colorful.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\ProfileIcons\pwsh-preview.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\index.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\MSFT_PackageManagementSource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PolicyDefinitions\ja-JP\DeviceCompat.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\rdyboost\ReadyBoostPerfCounters.h C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\InputMethod\Dictionaries\RBDS0455.dic C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAuthentication.ascx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Abstractions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\jsc.resources\v4.0_10.0.0.0_fr_b03f5f7f11d50a3a\JSC.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.targetsize-64_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\generic.browser C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\PeerToPeerCaching.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\DFS.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\MicrosoftEdge.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\DeviceInstallation.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\VolumeEncryption.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\ErrorReporting.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\peverify.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsBackup.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PrintDialog\Assets\splashscreen.png C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET CLR Data\_DataPerfCounters.ini C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\bthmtpenum.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\DefaultWindows_Enforced.xml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.ServiceModel.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsProducts.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Conf.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\5edc.msi C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.Serialization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.WorkflowServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it\Microsoft.Transactions.Bridge.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\RemoteAssistance.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\help_r.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\8514fixe.fon C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netbc64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Ring09.wav C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\AppCompat.admx C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\it\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Drawing.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\it\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\SmartScreen.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\MicrosoftEdge.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size3_im.cur C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0000\perfh.dat C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\WPN.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\en-US\l1033.phn C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\usbvideo.inf C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\webAdminButtonRow.master C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.Workflow.Compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\sdiagschd.adml C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_264d96401490fd62ebdd0a924b09af59_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 da6ad9e75dfc2b4c8422808df8155aeb
SHA1 9792019f2b9ceff69c15f8266a1d2d50baa88d6e
SHA256 653827fa3da0882360fb184830802bdfa35ec9fe187a3fbaca9ac499dc0d7138
SHA512 9d57e025d679390e83a745685e22eaa479bd82fffdf4399526cec0d5bad9c0247bb1a363239b160a5b9b2d7cc8f541a3e36e53620618e7e6462d1e8caa1d0ca3

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 ad74f833286fe451981bdc45e844758c
SHA1 41f804f822442663d8685cee4775e6210ba26eeb
SHA256 918840bb904ae699698f724b4b21a661554b6a5c33bd896d5e44f2653e961b95
SHA512 f13808cebdc74e9df7056581fa3458c73b653fa5495459ae71324314ac8e0a5337cb1c0d6b47aad358e17567a3fcd976c71496b064ac1c6443e079f39f914f3f

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 534723454af2c2a950d65d062a0442f9
SHA1 66ab2aeadb277b80f4ad73db2a510f13b9b5c293
SHA256 fef8792cb9b7211eb29436b56cd0f753c8d8624552b89ae91426405995b62409
SHA512 4382824deb6fdd05db9aca4be7054d6c419ed6b40d789d292b4e445accfa3eb84e8092a1b0ba9c05f1ff7b7ef15df40ca791435aeebf57ae1575ec267ebfcc43