Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-r3wseser2x
Target 2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 0d4b5b19d9034a26a51b9febeac248bc9666834b5aa0c08756b4e3428299ddf2
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d4b5b19d9034a26a51b9febeac248bc9666834b5aa0c08756b4e3428299ddf2

Threat Level: Known bad

The file 2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing

Manipulates Digital Signatures

Drops file in Drivers directory

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 14:43

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 14:43

Reported

2025-05-18 14:46

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3920234085-916416549-2700794571-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dism\es-ES\SetupPlatformProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\sc.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\kbd106.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Server-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-WithGraphics-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\rawsilo.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\vca.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\activeds.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.264.1.6.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\NET8185.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\NetEvtFwdr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\netsh.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\shutdown.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AppXDeploymentExtensions.desktop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~~10.0.19041.906.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\rtwlanu_oldIC.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\TransferCable.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ngckeyenum.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Analog.Shell.Broker.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Shared-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\buttonconverter.inf_amd64_73b807c3bed63b18\buttonconverter.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\iscsi.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\mciavi32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_a192dbf28b4634a7\vmbus.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\VES-Select.0c0a.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Fondue.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mtstocom.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\hidbth.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\hpsamd.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\lsmproxy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\d3dramp.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~~10.0.19041.1081.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\hr-HR\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\netid.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wmiclnt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-VirtualDevice-Synthetic-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\wvmbusvideo.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\storfwupdate.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\raschap.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Com\es-ES\comrepl.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\AppxProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbMapping.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc110deu.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-ServerCommon-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\sc.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\wldap32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\twinapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\ServDeps.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\url.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\ja-JP\ArchiveProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\lipeula.rtf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\spacebridge.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\remoteposdrv.inf_amd64_0f0da968c1cfce06\remoteposdrv.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\wvid.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-60.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotExist.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdate.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sand.dxt C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Cryptomining C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\edge_feedback\mf_trace.wprp.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker31.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Royale.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.ServiceModel.Discovery.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\SmartScreen.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\de\DropSqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\fr-FR\NUSData\M1036Hortense.keyboard.NU2 C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\Resources\es-ES\bootres.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\pris\resources.ja-JP.pri C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx45_IIS_schema_update.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\es\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\Taskbar.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\wsdscdrv.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Sockets.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Text.RegularExpressions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.Cmdletization.OData.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\WindowsAnytimeUpgrade.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hidi2c.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\dv_aspnetmmc.chm C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Kerberos.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\gadugib.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Aspnet.config C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.WorkflowServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\SR\en-US\ai031033.am C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.EnterpriseServices.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.IO.Compression.FileSystem.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\WindowsColorSystem.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\EventForwarding.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\EncryptFilesonMove.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\srm-fci.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\corbelz.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\basicrender.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\battery.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\megasas35i.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Activities.Build.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\Microsoft.Activities.Build.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon.Resources\v4.0_3.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.ISECommon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\microsoft_bluetooth_a2dp.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.ServiceModel.Activation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.ReaderWriter\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.ReaderWriter.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\corbelb.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\dosapp.fon C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.xml.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\tls.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\DeviceGuard.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\calibrili.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\smaf1255.fon C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\vstxraid.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\FileTrackerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.ServiceProcess.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_0af534a1fe545a1bfa3da999aa23a50a_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 097902e58bdd2fff6abc78b411b07520
SHA1 7f4d1a52a0514642d4656081b1b65f033fd2ee97
SHA256 c12892976d1035582b4939c5d0772e53b5118191c79b468b4cc4053dcf5e5ab2
SHA512 e971f349539a78aa1538d0759df5dc025c480ae262125aab5fce95c10f7ac56fdf8ca18835b63f8d3757f2c69d4d1ce6c220a8a244dcff0e37df5772d435377f