Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-r25zpszlv3
Target 2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 0a6d055a00f21b3044aed28427d2cd4aadda46c986af2a1390c5e06af36fcf34
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a6d055a00f21b3044aed28427d2cd4aadda46c986af2a1390c5e06af36fcf34

Threat Level: Known bad

The file 2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Renames multiple (52) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 14:42

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 14:42

Reported

2025-05-19 14:44

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\en-US\WsmSvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\tcmsetup.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ksproxy.ax C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\es-ES\IntlProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DriverStore\de-DE\ntprint.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Devices.Haptics.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\PS_BackgroundTask.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\bthudtask.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\d3d11on12.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\ActiveSyncProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\mciavi32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech\Engines\SR\it-IT\srloc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\sapi_onecore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja-JP\TestDtc.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeam.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsOptionalFeatureSet\WindowsOptionalFeatureSet.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dmprocessxmlfiltered.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\appmgmts.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\eapsimextdesktop.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\sndvol.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\eventcreate.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\avifil32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja\AuthFWWizFwk.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\es-ES\MSFT_PackageResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dot3ui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\authfwgp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Internal.ShellCommon.PrintExperience.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureList.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\IEAdvpack.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\powershell.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\c_GSM7.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\WinSATAPI.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\connect.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\fixmapi.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\setup16.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\spp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\apphelp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\shwebsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\DevDispItemProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\iologmsg.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\es-ES\AssocProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINHIN.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\provcmdlets.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\qdv.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\F12\ja-JP\F12Script.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDBR.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\auditpol.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\svchost.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\hgcpl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\telephon.cpl.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\downlevel\api-ms-win-security-base-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\rasgcw.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mprext.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DeviceFlows.DataModel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MapControlStringsRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\p2p.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\cmcfg32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\p2pnetsh.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\shutdown.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\StopReproTraceIcon-glyph-e916.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotsHubApp.BackgroundWorker.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\VALoading.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Entities C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square71x71Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.Writer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\cs.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\MemMDL2.1.85.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dxcompiler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\Advertising.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\arial.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1036\mscorsecr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Primitives.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\PushToInstall.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\SkyDrive.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\TerminalServer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\aspnet_regbrowsers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.DirectoryServices.Protocols.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\Microsoft.Workflow.Compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Runtime.Remoting.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SKB\LanguageModels\lm.en.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\M1041Haruka.BR2 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\town.mid C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Runtime.Remoting.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\mscorrc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\System.Windows.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.IdentityModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\Resources\en-US\bootres.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.ComponentModel.DataAnnotations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.SecureBoot.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Sensors.admx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\AllowBuildPreview.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Setup.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\logo.scale-100_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ComponentModel.EventBasedAsync.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Web.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\wvmic_ext.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\webAdminButtonRow.master C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\ja\DropSqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Data.DataSetExtensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\PfPre_7d37fba9.mkd C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\M1033Zira.SPEECHUX.NUS C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Transactions.Bridge.Dtc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Channels.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.ServiceModel.Channels.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\zh-TW_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\arrow_i.cur C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.Overlapped.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.RunTime.Serialization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf2.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\vccorlib140.dll_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.Services.Client.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Configuration.Install.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\th-TH_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.DirectoryServices.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Messaging.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\XsdBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\WindowsColorSystem.admx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0C0A\perfd.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
NL 2.16.106.196:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 2.16.106.196:443 www.bing.com tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 fa95791edb6f7f9e170e0ca8d39ab94b
SHA1 c11c24fde0339d9a79830abccfcf15683fb21a54
SHA256 f1551028c2b62804b1f93ec708ed2d11a240d1d1cb42d0b64ab5689d9490a1c2
SHA512 1ccb82d9fbd8954ce4907a111417a4cd17a0520f15a3e51c7100da3baccfaaa99018a4ba7e857f6340db1519364cca05708da89bc11f02d3371fa122a5838af3

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 17ae70a8bfe1ee11b83ca8189c409a61
SHA1 36092e0d5337a7ee70f6cbc0f83e9ae3b6fabcff
SHA256 0c7ae7decd873e2e99a3165d0591fc9ccb75ece6bdcd54ba7e42da7d83d847cd
SHA512 0143d9b14e453de40052723713c6226cbb220f3617dd10f24980f8db220e1cf08c9d286cd4d6351b3b62dda9c54c941cab96d3cd1821c8d181ec1c362aefcf75

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 d69a71081fe1bb09f00a5af73a7dda98
SHA1 f479a258b5dd574656b130df23cbbeecfbdc981f
SHA256 2e03f3166fad0a3b11d9045aa9da64941e890dcae5073873d8c855a3014f5c36
SHA512 7d93fef387e175a3b106b4e408ca37d6a3c0d95ab9f7a4be23619d9a4f5d442520bb24c8aef1fbb4227d7b3a9d49c70c804c01a380f53a2ef59d583981bc6959

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 14:42

Reported

2025-05-19 14:44

Platform

win11-20250508-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Client-License-Platform-Device-Licensing-Service-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\D3D12Core.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Opt-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-dcomproxy-Opt-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDGEO.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MSFlacDecoder.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterDriver.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\rpcping.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilterCSP-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Not-Supported-On-LTSB-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Tools-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDDIV1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\mstask.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\ieunatt.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de\Microsoft.AppV.AppVClientWmi.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_10003.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-Gpup-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Legacy-Components-OC-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\EdgeProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ThumbnailExtractionHost.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\uk-UA\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\mof.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\netnccim_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppExtension.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-LegacyChipset-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.194.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-SPP-VirtualDevice-Package~31bf3856ad364e35~amd64~~10.0.22000.493.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDTAJIK.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\takeown.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\DeviceSetupStatusProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ActiveSyncCsp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Casting-Platform-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0113~31bf3856ad364e35~amd64~en-US~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TextPrediction-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DataExchange.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\UserDataAccessRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\Microsoft.AppV.AppVClientPowerShell.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ctl3d32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\wldap32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Composable-PlatformExtension-AccountsControlExperienceModal-Package~31bf3856ad364e35~amd64~~10.0.22000.120.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-RemoteFS-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Desktop-Required-ClientOnly-Removable-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\Windows.Internal.SecurityMitigationsBroker.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fsutil.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\secproc_isv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AuthFWGP.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Onecore-Identity-TenantRestrictions-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Snapins-Group-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Apphlpdm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ntdll.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\srmclient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\wscenter.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\C_20003.NLS C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InkEd.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-WOW64-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.282.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StorageService-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\netcenter.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\dist\merge-styles.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Text.Encoding.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\ComboBox\ComboBox.classNames.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailFirstRunLogo.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\strings.resjson C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ta.pak C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Text.Encoding.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\selector.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzdb.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\dxcompiler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Mozilla Firefox\mozavcodec.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSquare70x70Logo.scale-80.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Tentative.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireLargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\fil.pak C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_game_assist\VERSION C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-3687046934-3833731302-526866946-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Mozilla Firefox\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\paintpicture.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CameraAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Activities.Core.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.Protocols\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Xaml.Hosting.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\DeviceGuard.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\MobilePCPresentationSettings.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\GlobalSerif.CompositeFont C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ServiceModelService 3.0.0.0\0407\_ServiceModelServicePerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\CacheSize.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Alarm02.wav C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\es\DataSvcUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\dv_aspnetmmc.chm C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.IO.Compression.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.RunTime.Serialization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\tr-TR\bootmgr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.DirectoryServices.Protocols.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\InkWatson.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\aspnet_regsql.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Panther\setup.etl C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\AppPrivacy.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\Contact.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Security.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.Windows.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\SkyDrive.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-5B70F332.pf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SharedExpat.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\msbuild.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\bootnxt C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\SMSvcHost 4.0.0.0\040C\_SMSvcHostPerfCounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\prnms013.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\Microsoft.Build.Tasks.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsData0007.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Context.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Reflection.Context.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Transactions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\TAPISRV\0407\tapiperf.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmcpv.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmsupr3.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Workflow.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\DUBAI-BOLD.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmmhzel.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Startup.wav C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemXml.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\framd.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20250508.121003.989.1.etl C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Device.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Entity.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\0409\mscorsecr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Configuration.Install.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\fr\SMDiagnostics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmusrg.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_a818eb5064fa0c5a4929baf32832853c_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 86982cb1882bee72890799cd1f7f4f30
SHA1 b1436cad59759717e02f45bf2c52a40b122b5fd1
SHA256 3715ebe17fa688ab609394d3f195468439f641e87a9b6bf1b2cc1052fb0a8b19
SHA512 283dbfc789fbff2062d5cffdc8f89fa0a854bc69c29c502cfadbeb873544fd7863206fdc2386bcf177a55392e584bf06761fa37b6c73ad64deb375b5d9805a93

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 0d51d19605a454e1999521d335ab2f64
SHA1 7c3dd86c48a8ff6b0dd388c4ce1912bf6c5f8913
SHA256 d8c2a56451b781fff97c060772a32faa8964c03630d8b5158a3d2ecf800f28cb
SHA512 1a7f8abb219146b0eb313701d3ecb5afed15e274a25eabd68dd8df4f13a13a7321f070e15f1e862d44b8506d6b6e103cc0c251527632a47958539d4eaccfa67d

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 d3a297ed59fdecf0411bab369b7e5997
SHA1 9a5cd27e74382f3c066229bf168f49f035aa687c
SHA256 b7b4d6b66de569eb78032236455e98bc36ea35019e698e4c670115abcc08800b
SHA512 011f58ac10ea16be9f2f93b47b6e514fbb6c6ecb9b239f6404e4aaa587f1bdecef3646ffacda4d2ea42337b1f4bb29667f85ef2e2b52cd480795703c5f357d14