Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-qydklsypw4
Target 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 42e2feeb098bd035ccbd01d5bd59d6bdf3af9779d445e70085750479592d7376
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42e2feeb098bd035ccbd01d5bd59d6bdf3af9779d445e70085750479592d7376

Threat Level: Known bad

The file 2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing family

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing

Renames multiple (51) files with added filename extension

Drops file in Drivers directory

Manipulates Digital Signatures

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 13:39

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 13:39

Reported

2025-05-19 13:42

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\F12\DiagnosticsHub.ScriptedSandboxPlugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\storagewmi_passthru.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\htable.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WorkFoldersRes.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cmifw.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\dot3dlg.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\regedit.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\mstscax.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Com\fr-FR\comrepl.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\mapi32.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\ServiceModel35.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDIULAT.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\catsrvut.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\StorageContextHandler.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\isoburn.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\w32tm.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KeyCredMgr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\InkObjCore.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\provplatformdesktop.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iasrad.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\sendmail.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\version.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wiascanprofiles.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PlayToReceiver.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\SysWOW64\icuin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\PS_MMAgent.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\XInputUap.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\qdvd.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\hgcpl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\wmp.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\occache.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uniplat.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\netnccim_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PKI\pki.types.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\WsmRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\netttcim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\CompositeResourceHelper.psm1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\PSDSCxMachine.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\IntlProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Keywords\ti_cnn_zh-CN.table C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\PresentationHost.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ntvdm64.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PhotoMetadataHandler.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.AccountsControl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\pl-PL\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\ServiceModel35.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AcSpecfc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\Windows.Gaming.Input.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\twinapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\AgentWmi.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\FunDisc.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\ieunatt.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\compmgmt.msc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\netdiagfx.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\cs-CZ\SyncRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\adrclient.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wshhyperv.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\schedsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\InitiatorPort.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\dot3gpui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\ja-JP\csv.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Media.FaceAnalysis.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.UI.Xaml.Maps.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\mfc140enu.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryRight.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipres.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_quz.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUIStyles.xaml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntCommon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Medium.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\resources.pri C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\delegatedWebFeatures.sccd.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Analytics C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.rsp C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Dtc.PowerShell.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.Dtc.PowerShell.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Reports\ja-JP\Report.System.Wired.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\SharedFolders.admx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\SMSvcHost 3.0.0.0\0411\_SMSvcHostPerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\rtux64w10.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Engines\TTS\en-US\MSTTSLocEnUS.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Memory Cache 4.0\netmemorycache.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Alarm09.wav C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\it\EdmGen.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Core.Presentation.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Activities.Core.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\DeviceSetup.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\WindowsFileProtection.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\ssee1255.fon C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\it-IT-N\c1040.fe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.Design.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.ServiceModel.Internals.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\PushToInstall.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\icon.ico C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\town.mid C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.Configuration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\tr-TR\memtest.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0411\sqlsoldb.chm C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\hdaudio.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\iaLPSS2i_GPIO2_GLK.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140.dll_x64 C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\opera.browser C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.EnterpriseServices.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\es\Microsoft.Data.Entity.Build.Tasks.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\GoBack_48000Hz.raw C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\Microsoft.CSharp.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.TraceSource.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\TaskScheduler.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\DiagTrack\RemoteAggregatorTriggerCriteria.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\seguisli.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET CLR Networking 4.0.0.0\0411\_Networkingperfcounters_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Workflow.Runtime.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0411\_ServiceModelEndpointPerfCounters_D.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmaiwa4.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PDDom.api_NON_OPT C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\PowerShellExecutionPolicy.admx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Web.Abstractions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.IO.Compression.FileSystem.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\en-US\Rules.System.Disk.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\DnsClient.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{31350404-77AC-4471-B33A-9020A2EDA1D1}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "410" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "910" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1036-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\AI041040" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lookup Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1041" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "966" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 d63843be3b7eb1c0e9c2f797ce6414a7
SHA1 cf2253d7d63731496b5ab22b4469a874f9e9334a
SHA256 5ed9e86468279060f2031e1142b55af88d06c7fe08d4c30194f6100e6812625e
SHA512 e21a13d01a6a88c0c3312e6e39cde3e844dba80efb5311d6a1e64751b1086c0486bd9ef37509c57568775a21504266644f373cd28958ecd83aa6fcabd174613c

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 920865b6ee3d9d19d0f999f9e6cf6dfa
SHA1 913658e599d0b47050f67d6f47360e7be138d818
SHA256 5241a0dea78f1001112ca2e909816b35b048544fd5fd3887eaa85531a6984456
SHA512 0e0c37e3f2d6985239a3932312ae495e6aaaa160493e6c3725cd09b0d3daf84f31568bbb6d43f9113b71f3d078b840c0a83d4a7155c694945928cdc03c51fa02

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 b5c330b48cd86305e4608e8bbdb22405
SHA1 8d66fcd8ea478b62ae08d8a3b9cf0919362f167e
SHA256 9f4c0af8fe986def4578d4f6809e90f2b4b34fc19cf954ad2aafbe89b29e4abc
SHA512 786f8300f5fbb81d220845f329ba944967277f5a8269019852be13975d5a236fb3bfb7a7066cd6100057be9809c50ff802c466fb2edc52d52bfde86136f5314c

C:\WINDOWS\FONTS\ARIALN.TTF

MD5 423978fb826c3fc0c41db0fba4ff454e
SHA1 09d9ac847811fe226552c58ec5ed93b092f2c79b
SHA256 3a3e00d087237d33ccce31f5cd256e939c210250ebe153ffd140aef3bf3bbfd3
SHA512 fbdd99c17ca49b6908cee7386e7c76b5916304a91ecd2bc8f9be57747a3bc44a651f957f61e7353ea74435463ad23908744ee922ac40adc9c8c6c79230772ab3

C:\WINDOWS\FONTS\FREESCPT.TTF

MD5 6c9652ed58486ed708ec83779d14d245
SHA1 e93d86dc4c1d0485723b0367321fb93c9d4dbf21
SHA256 cc65d30034e37d0d5d68a84016e9fd28da699c372d9b2514098883d8440a2668
SHA512 4747a82d74dace44e3ce45c179838a1cc245d7aeefa7d7079ed45207d35086eb331d0c7601175a7b21925ef99b85554dc3137d2f0ab274e5a52c300c71d881e7

C:\WINDOWS\FONTS\ANTQUAI.TTF

MD5 877f4ff55df1279859a915784e9c1494
SHA1 30b03e3dac3f57a0b376c465ca94991ffe052746
SHA256 46b345683ee524fbac5d47c7bf8e88b2c9cf899bf0045252d00df8224b725bd8
SHA512 8c77127a73246346e0f2240655ac6de7905e28457b65449448e24b71ce9368d7a55731933102b75c74282b6ef69a9f821c3c281ce54699a77fbd3749656baed6

C:\WINDOWS\FONTS\ANTQUABI.TTF

MD5 576a08d7c69df02f3dd2157298188c94
SHA1 11a42e049f239be21c034c7b9272cb7fb29dc367
SHA256 f296e29a88b7031620f85690667deb9eb60da1632af27478a0d99b5d2fc352af
SHA512 9beae9e8e327af18ce9df58bec30e2e4c21fb413734c85866f72cad7f6a67036b85b8e56611001cc3c32815aabdf1c75b1e502bec17ea52325cc4502a4f54633

C:\WINDOWS\FONTS\ANTQUAB.TTF

MD5 016c2527ac512fc9df181b60cc44e225
SHA1 bd7615a0ed811eae178f3d82b8616fdd4e6d5319
SHA256 51bec63c3cede56d9a1c246a51d7b31fd438c52ac34117bbdde3325ac0c28bdb
SHA512 0c0c62e93a271e2ac65d77f3dc4409213a6678ff8c1d4c05e031864d2ae0f2eb12e6acb785691f477ae69bdbbf090246023dd92bf3e409fa77661978fd4168bc

memory/4368-5833-0x00000211136D0000-0x00000211136F0000-memory.dmp

memory/4368-5841-0x0000021113690000-0x00000211136B0000-memory.dmp

memory/4368-5842-0x0000021113A20000-0x0000021113A40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\49DDX0WX\microsoft.windows[1].xml

MD5 88df8fd15df82aa8d53ca7e174dfa66c
SHA1 5ecc316c8a22b09f8f64f7c67efe4a0468f07c17
SHA256 474966fc1c140c583fdaa26a057798ba409db75d41bd7fab23f2e88c775ae682
SHA512 185a748bc1b3633739aed35a6a7e5ab850b5f59b4e37a343ace6c1440452e93a3c1a03cc8cfab0668c7a1d2e5d84613788abee116f9b769cf1240b13d57f8f42

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 104f81dd974ee6cff12ac932f403f610
SHA1 9c5f77a499a2f193f21b61122bc6c297c04787d4
SHA256 a255d75f49b42239950fab22206ec9eb2ddf2e9acca3eef2283d899ef6422cba
SHA512 abd54847718f2c81372788838c511a85b57b68a1443ae8409f49a1554edaa45badcad1143119ea367c20f52084a05e2af3cc51596932f99e89879a2b9692c7f6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921357060202460.txt

MD5 b9a3570135c6cdac61e23a655424bb81
SHA1 b25c823b867b820fa34e0d61892c99af1b3db241
SHA256 e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6
SHA512 73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

memory/2132-5884-0x000001603A300000-0x000001603A400000-memory.dmp

memory/2132-5885-0x000001603A300000-0x000001603A400000-memory.dmp

memory/2132-5889-0x000001603BB90000-0x000001603BBB0000-memory.dmp

memory/2132-5894-0x000001603BF60000-0x000001603BF80000-memory.dmp

memory/2132-5893-0x000001603BB50000-0x000001603BB70000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

MD5 8e86cc897eefa3efe721338455517ce7
SHA1 416d74aec53ac33ffa31aa15ddfa3f37b6772ebd
SHA256 c3e2f9e1319c325a4cee0c1e8066610693d9055c3bcd69d13dd205e64c698828
SHA512 f3ae8acec692ee1e04825572cc82ad11952a4108026fed1c05feebc659984fe7185e1826c171699eb789c5803155e5ac9d2d4ca35d3e0432c601e032d0aa4640

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 13:39

Reported

2025-05-19 13:42

Platform

win11-20250502-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (51) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabletPC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Wifi-Client-Broadcom-Bcmwl63al-FOD-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DefaultQuestions.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_nettrans.inf_amd64_9859e6d1394d99d3\c_nettrans.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\netnb.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}4105.bin C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\es-ES\FolderProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MiracastReceiver.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\winver.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\shacct.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\winusb.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\netl1c63x64.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterSriovVf.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\en-US\MSFT_WindowsOptionalFeature.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\sxsstore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Composable-PlatformExtension-DragDropCommon-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PrintToPDF-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\LocationFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMETIP.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\inetcomm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Graphics-DirectX-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\en-US\UnattendProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dsui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\accountaccessor.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\shgina.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\Dism\de-DE\UnattendProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\hdaudio.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterStatistics.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\lv-LV\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\slc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PhonePlatformAbstraction.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\nb-NO\windows.ui.xaml.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WebcamExperience-WOW64-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\circlass.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\buttonconverter.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\ja-JP\MSFT_ProcessResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\pspluginwkr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\tcmsetup.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OptionalFeatures-Package~31bf3856ad364e35~amd64~~10.0.22000.71.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\pt-PT\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetTransportFilter.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\objsel.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\WUDFUsbccidDriver.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\mausbhost.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TextPrediction-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_d06a04ca781e27cc\prnge001.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\3ware.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\sisraid2.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\NetworkHelper.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.318.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Deprecation-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\en-US\mdmhayes.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\netnvma.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\AudioEndpoint.inf_loc C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterHardwareInfo.cmdletDefinition.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Desktop-Shared-Drivers-Package~31bf3856ad364e35~amd64~~10.0.22000.493.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\nvdimm.inf_amd64_ccd884280893585c\nvdimm.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\DismApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\ps1file.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LockScreenLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_ms.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\warn\warn.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Store.Purchase.Component.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\MusicWhatsNewItems.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\IRectangle.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\mso40uiimm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.Luna.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\UnlockHide.clr C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.561.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\PeopleUtilRT.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintStoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.Pkcs.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_xd.svg C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\default.win32manifest C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\SoundRec.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\SearchOCR.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\AttachmentManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Security.SecureString.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\clretwrc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_lowtrust.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Linq.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\WindowsRemoteShell.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\FRSCRIPT.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_dot4print.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es\System.Speech.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\de\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.ServiceModel.Internals.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Net.Http.WebRequest.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\confirmation.ascx.it.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\intelpep.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clientexclusionlist.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\iSCSI.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\SystemRestore.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\InboxApps\OutlookPWA.msix C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\PCAT\memtest.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Memory Cache 4.0\0411\netmemorycache_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Activities.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\DnsClient.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\3082\alinkui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.WinFX.targets C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Conversion.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\System.ServiceModel.Internals.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\Rules.System.Common.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\help_r.cur C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\storufs.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Security.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.Selectors.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.IdentityModel.Selectors.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.ServiceModel.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Data.DataSetExtensions.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Cmdletization.OData.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\v4.0_3.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\ControlPanelDisplay.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmcxpv6.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netvchannel.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\fr\DataSvcUtil.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\Cpls.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\DigitalLocker.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_busy.ani C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\smaf1257.fon C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizard.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Fonts\GlobalUserInterface.CompositeFont C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Activities.Core.Presentation.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Log.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.IO.Log.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PLA\Rules\ja-JP\Rules.System.Wired.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\EFI\fi-FI\memtest.efi.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5b9e5a89eb6c7826167c719c5467aa64_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Network

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 40ef069cd90d74e877702e4fc5c9c6c6
SHA1 df7b4a90e378cf8c240b27b5b549e941b079dbd4
SHA256 f4feb4b71144108f1299face1d3ffdaf05fe56fa5cf141d33e4b5e716eb16f89
SHA512 da516a9889294545f5d6130825934fcc401c8fce2d875b0012bbcb4e13f5f8fc6ccf1622cb7858f7956562109f147487ab4a0444b58b089f5dfb98f7fff9877d

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 4d06c408703b55d4dbca43568ebf9993
SHA1 e7bf3391be63b305e58bbc0ca178cde885a2ea9c
SHA256 76e59b08fbdbc988924bad72694da7a4811b31145d00e548ed0167143374a023
SHA512 08bc57c72972448dd04e573b3479aaed0ff4caa257ff51d25740c30b35f4a0e1ad0cf49512f69fabcccd3824d19f2d2c4c8b66b578519204dd1affa9d2bc6a12

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 c5d52414b2d73abd15c16df2746fcbc2
SHA1 75e93f9ab461845ac19f9b21c84b74f7164a49c1
SHA256 fcd26addd2856efd485aec57dfd2e4df3d17d102be531ef34aff8181fc1b4f04
SHA512 709494508e8567754d81ab03cd00fd53d4e9bfded5403f3ce5cadd8116f234bb2891c0240dd23cc91d5560fa4a6aab412524da16f46a1e9cd250702a905fdd6c