Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-scmx9sfk51
Target 2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 95845e085aa028de80b5b458eb3f8332f701cb13c3eb65cefb2037e352f4ebdb
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95845e085aa028de80b5b458eb3f8332f701cb13c3eb65cefb2037e352f4ebdb

Threat Level: Known bad

The file 2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Gofing

Renames multiple (51) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops Chrome extension

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 14:58

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 14:58

Reported

2025-05-18 15:01

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (51) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Com\MigRegDB.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerXaml.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dssec.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Speech_OneCore\common\en-US\VES-Disambiguation.0409.grxml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDTIFI2.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\XInput9_1_0.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SCSI-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\en-US\ProvProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_f9b71b1d9c8643e2\mdmaus.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\de-DE\MTFFuzzyDS.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\de-DE\listsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MirrorDrvCompat.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.ApplicationModel.ConversationalAgent.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\tasklist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\gptext.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\netprofm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_11_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\pmem.inf_amd64_acec109593aed940\pmem.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HgsClient-Core-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneDrive-Setup-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\xinputhid.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\de-DE\pwrshplugin.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_07bca0bfd5173050\mdmjf56e.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\IndexedDbLegacy.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\netshell.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\tapi32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\wsp_health_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-PictureTools-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\en-US\SmiProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_SS_720_K.bin C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\sisraid4.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\wfpcapture.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\certca.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\de-DE\EnterpriseAppMgmtSvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CBDHSvc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CompPkgSrv.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\intelta.inf_amd64_ba962d801a22973c\IntelTA.sys C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\FsNVSDeviceSource.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\KBDUGHR1.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_WsdPrinterPort.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\iexpress.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msIso.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\shimeng.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ActiveSyncProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acpipagr.inf_amd64_a3248d35e6aba0f3\acpipagr.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\ks.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Hydrogen\BakedPlugins\Physics\presetmotionpropertiesfrozendeprecated.hbakedmotionproperties C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\de-DE\LanguageOverlayServer.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ChtBopomofoDS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\netvg63a.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Configuration\BaseRegistration\ja-JP\MSFT_MetaConfigurationExtensionClasses.Schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\TaskSchdPS.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\NetworkItemFactory.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\neth.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\gpapi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnttte.inf_amd64_f017e7b18ec67a97\mdmnttte.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\fr-CA.pak C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main.css C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\mt.pak C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sl.pak C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weather_2_travel.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\et.pak C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\mk.pak.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso50imm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\webview2_integration.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\psmachine_64.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\IMETC\HELP\IMTCEN14.CHM C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\ja\DropSqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\ja\Tracking_Schema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\Camera.admx C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\EAIME.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmtdkj2.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\L2Schemas\WWAN_profile_v7.xsd C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de-DE\ServiceModelEvents.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\it-IT\M1040Elsa.TBT.NUS C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\es-ES\Rules.System.Summary.xml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\pca.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Resources\Themes\aero\de-DE\aero.msstyles.mui C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_fsinfrastructure.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\SMDiagnostics.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\System.Web.Extensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\prnms004.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\pris\resources.ja-JP.pri C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\DropSqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.IdentityModel.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\fr\DropSqlWorkflowInstanceStoreSchema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\CustomMarshalers.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\CustomMarshalers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\fontsetup.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmtdkj4.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Configuration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\v4.0_10.0.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.ComponentModel.Composition.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Panther\setupact.log C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mbtr8897w81x64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.IsolatedStorage\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.IsolatedStorage.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Workflow.ComponentModel.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\TaskScheduler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\nca.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\vgas1256.fon C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET CLR Networking 4.0.0.0\0407\_Networkingperfcounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelRegUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ComponentModel.DataAnnotations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.ServiceModel.Internals.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Deployment.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Messaging.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\OOBE.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\TPM.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\OOBE.adml C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\bcmfn2.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Text.RegularExpressions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Runtime.Serialization.Formatters.Soap.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XmlSerializer.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Net.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\TAPISRV\0411\tapiperf.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_3f1a0f054901f2abe8d3a6cb41f383fb_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 d376e3eecadc8f4d8753e9d6d4523b55
SHA1 7132504cc63ba3bd3300cdfdd9f3e92c029cb730
SHA256 21057c0eb8289d0978bcef9e738ddc9dac41ad2d155d53f74fdf9476d869e090
SHA512 c60ca0f72329e05d2b6543b1d48ff27364763d06ffd7693509f6b38969e3982a091bd80742f8eababb65cc2f97353137092fc154d273f062305be5b3d5847007