Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-sbj5zstnw4
Target 2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 714b2a7e74237c7b5dece536b6da94e95c76ce8f31d4d08c807ac81748488e62
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

714b2a7e74237c7b5dece536b6da94e95c76ce8f31d4d08c807ac81748488e62

Threat Level: Known bad

The file 2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Manipulates Digital Signatures

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 14:57

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 14:57

Reported

2025-05-18 14:59

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\it-IT\wlgpclnt.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\prncache.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppVEntSubsystemController.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\it-IT\WimProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMETC\IMTCTRLN.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDBULG.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fundisc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\winsrv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\win32u.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-tabletpcmath-package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.746.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KeyboardFilterShim.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Appx\Appx.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\eapphost.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\csrss.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\netjoin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-PictureTools-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DesktopShellExt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\StructuredQuery.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IntegrationComponents-VirtualDevice-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KMCL-Host-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-QoS-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WPD-UltimatePortableDeviceFeature-Feature-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\acledit.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\dialer.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_glk.inf_amd64_7b6c08738ca8a856\iaLPSS2i_I2C_GLK.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_36a71a022d8bb0bb\mdmlasat.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CloudExperienceHostUser.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\dfshim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\IEAdvpack.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\tr-TR\windows.ui.xaml.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\WsmAgentUninstall.mof C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AuthHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\msiscsi.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\msftedit.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\efsutil.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\dot3msm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\extrac32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\netshell.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\wecutil.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rdpbase.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\WebcamUi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPCMLD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cryptnet.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\DismApi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\msmpeg2enc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\migration\imkrmig.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AuthFWSnapin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DirectX-Database-FOD-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\themecpl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\odbcji32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\schedprov.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fsundelete.inf_amd64_741f159cc6ce7814\c_fsundelete.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_cfd501781ae941c0\mdmcom1.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\en-US\IBSProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileForms32x32.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntSyncFx.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sq.pak C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_20x20x32.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.VisualBasic.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Unknown.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\Skins\Revert.wmz C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2930597513-779029253-718817275-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\wlibim.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\7.rsrc C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\Microsoft.VisualBasic.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Runtime.WindowsRuntime.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cscomp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\aspnet_regbrowsers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Entity.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Numerics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\aspnet.mfl.uninstall C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.Tpm.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\v4.0_10.0.0.0_it_b03f5f7f11d50a3a\Microsoft.VisualBasic.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.ServiceModel.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\couri.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Runtime.WindowsRuntime.UI.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.Configuration.Install.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Principal\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Principal.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\3082\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\mscorees.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHost_v0400.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\it-IT\Report.System.Common.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WindowsUpdate.admx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\P2P-pnrp.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\shfusion.chm C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\Power.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\NetworkConnections.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\DiskQuota.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\MDM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\busy_r.cur C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7de.acl C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Battery Low.wav C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WindowsProducts.admx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\NetworkProvider.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\nl-NL\memtest.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Workflow.ComponentModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\WindowsStore.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\fr-FR\l1036.dlm C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\fr-FR\NUSData\M1036Nathalie.voiceAssistant.TNU C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\size3_rl.cur C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_GlobalResources\GlobalResources.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\GlobalSerif.CompositeFont C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\ja\Microsoft.Build.Tasks.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\System.Speech.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_arrow.cur C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it\PresentationBuildTasks.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.IO.Log.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\aspnet.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 0e3d1f6215f6a30ffe1f2067462e65ca
SHA1 52982274e7cdb889ca81423140ed658c85245053
SHA256 bd5fc8724054615e8fc9f9250a95b90d7ae937ea16ae89ae73cf52435f5bee9f
SHA512 78d8ad3440c8084b005ebdc0c428799b948f9029942c9b1bb2544ae0845abb91ff211a7643267d6c3a4dc6fdf6309802e379bb60d9140534f5778ad55ddbed1f

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 afdb2f4f900b383d99a45910017f6de9
SHA1 4f3252536d15c32d03d866369db50e0d4634c76a
SHA256 3651090856ed7a2a225e235e4256cccf3b38e9614debf451555bc9f4257f0c9a
SHA512 12982d5c4bd08c0698fb260e563b79c71a1610f81e8d06da599e22abd975efbf9ad42263bc3956c0c06f2784491c97e0a7c70949eb0671ff236a62e063b2565b

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 14:57

Reported

2025-05-18 14:59

Platform

win11-20250502-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0113~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~~10.0.22000.493.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\eappgnui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\PlayToStatusProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\de-DE\GenericProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\vss.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\credprovslegacy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ifsutil.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.UI.Search.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dsauth.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Containers-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\de-DE\comrepl.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ngcksp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\@BackgroundAccessToastIcon.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NewTabPageHost-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SnippingTool-FoD-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabletPC-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\mshtmler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\WmiApRpl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wmsgapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Containers-Guest-Shared-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fdeploy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\cliegaliases.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\lt-LT\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfvfw.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msdtcspoffln.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rtm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-SPP-VirtualDevice-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\dtsh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\IEAdvpack.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ttdloader.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Shared-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\gpedit.msc C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\odbcconf.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\jscript9.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Windows.Gaming.Input.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-5-ul-store-rtm.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\sv-SE\comctl32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppVStreamingUX.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\atl110.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\clip.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dswave.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fastprox.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppMon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\BamSettingsClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RotMgr-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DriverStore\es-ES\ntprint.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\at.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\netlogon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\vds_ps.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\PrintManagementProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpWideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\RetailDemoData.json C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\WorkingElsewhere.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_100x96.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\en-CA\Cortana.bin C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\oneds.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-20_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Trust Protection Lists\Sigma\Other C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\selector.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsLargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\contrast-white\CameraStoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupHeader.types.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Office.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Cng.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XPath.XDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\ModifiedAlphaTexturePixelShader.cso C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\ExtendedPicker.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Breadcrumb\Breadcrumb.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\offsymt.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PolicyDefinitions\fr-FR\ServiceControlManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Regasm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Transactions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\Rules.System.Summary.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\dos869.fon C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netefe3e.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\en-US\SystemSettings.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\pris\resources.en-US.pri C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7} C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\ComSvcConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Windows.Forms.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\it\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\system.data.sqlxml.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\fr-FR\Rules.System.Wireless.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Conf.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\es-ES\memtest.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\de\EdmGen.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAuthentication.ascx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.WindowsRuntime.UI.Xaml.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\Lexicon\en-US\grph1033.lxa C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SrpUxSnapIn.resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\SrpUxSnapIn.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.WebRequest.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Net.Http.WebRequest.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Routing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\mscorees.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\Microsoft.Activities.Build.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\uk-UA\Rules.System.Wireless.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\person.svg C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.comments C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.Messaging.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Context.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Reflection.Context.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\fr-FR\Rules.System.Diagnostics.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\wwansvc.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\PerformanceDiagnostics.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeXMP.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Runtime.Serialization.Formatters.Soap.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\clretwrc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\DigitalLocker.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hidinterrupt.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\WLAN_profile_v4.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ja\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WinMaps.admx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\panasonic.browser C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardFinish.ascx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Panther\_s_351B.tmp C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\ko-KR\bootmgfw.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\8514oeme.fon C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\bth.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hidinterrupt.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_2f54b08a735e708919b8a3c6426eee80_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 142.250.178.3:80 c.pki.goog tcp
GB 2.18.27.82:443 www.bing.com tcp

Files

C:\Program Files\7-Zip\7z.dll

MD5 b096495b0cf4ff624351470684bd99c4
SHA1 e964bca156f3a6fb2b4e4f81d30587e941ba8b33
SHA256 0317821dcd00ce6ba6a1def88457f05611fb54846f6ec4c0da63240093b5fc81
SHA512 64549035c4124a7132434a47152c3d3f3dd9f405494a1b4a850c5487654f58b9ee8754d836223a32dc74a1b0f919564591438c1ce945ceb22f7f79787b7ad9af