Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-rrpjzahq4w
Target 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 de5cde8382551f355f84b439277bd0c7c929f8d60669a21de6c5346853948037
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de5cde8382551f355f84b439277bd0c7c929f8d60669a21de6c5346853948037

Threat Level: Known bad

The file 2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Renames multiple (51) files with added filename extension

Manipulates Digital Signatures

Drops file in Drivers directory

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Drops Chrome extension

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 14:25

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 14:25

Reported

2025-05-19 14:28

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (51) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\netlogon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Tools-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\ArchiveProvider.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\PSDesiredStateConfiguration.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc100cht.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\es-ES\wbemcntl.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\ARP.EXE C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\AzureSettingSyncProvider.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinMetadata\Windows.Storage.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\NetworkItemFactory.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\charmap.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ErrorDetails.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\res\padrs411.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\msxml6r.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\winmm.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_19_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\es-ES\MSFT_RegistryResource.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\packager.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-UtilityVM-Containers-Shared-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-Admin-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ETWCoreUIComponentsResources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\wlanutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-ServerCommon-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\appidapi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\modemui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\fixmapi.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mountvol.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\shunimpl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\mispace_uninstall.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\CheckNetIsolation.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\wcncsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\MFC40.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\systemcpl.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0112~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\WF.msc C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\iesetup.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\vss.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\whqlprov.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServerClient-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Help-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CredProvHelper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\LocationApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PlayToDevice.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\rasgcw.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bcmfn2.inf_amd64_5ebadf201c5b5845\bcmfn2.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\NcaApi.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WinSyncMetastore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\learning_tools.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Xbox.Foundation.Media.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea23.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\lpcstrings.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x64\EmbeddedBrowserWebView.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\manifest.json.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_OwlEye.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Entertainment.winmd C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Extensions\external_extensions.json.DATA C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\196.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Data.Entity.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.Implementation\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Excel.Implementation.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\de-DE\PushToInstall.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\PERFLIB\0410\perfd.dat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\ksfilter.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Windows Notify.wav C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.fr.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.EnterpriseServices.Wrapper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\SDFLauncher.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SbsNclPerf.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\Microsoft.SecureBoot.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.ISECommon.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SrpUxSnapIn.resources\v4.0_10.0.0.0_de_31bf3856ad364e35\SrpUxSnapIn.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Device.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\smallee.fon C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_mediumtrust.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\MSBuild.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.VisualBasic.Compatibility.Data.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.ServiceModel.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\fr-FR\ControlPanel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech\Common\es-ES\sapisvr.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\net1ic64.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Workflow.Activities.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86 C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\Microsoft.Build.Utilities.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\1033\cscompui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\CustomMarshalers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Principal.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.h C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\85f874.fon C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-400.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icucnv40.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Regasm.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Regasm.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\NetworkConnections.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\1031\cscompui.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Messaging.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Windows.Forms.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\ServiceModelEvents.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.ComponentModel.Composition.Registration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoft.ConfigCI.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.3.0.Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Policy.3.0.Microsoft.BackgroundIntelligentTransfer.Management.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.IO.Log.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Activities.DurableInstancing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\NetworkConnections.admx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\EventLog.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\WordWheel.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\AppxPackageManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Adult" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5223743" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Italian (Italy)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Stefan" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lts Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5233694" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada." C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\MSTTSLocitIT.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura - Spanish (Spain)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9683dda5462f983c35536907ab248964_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
GB 2.21.6.226:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 573ce27e20449e284b919c487a35526b
SHA1 46d596989ce94953c94b6d5c5c176af6b3ccf784
SHA256 3600f01f77287451e7297d4ea9b454062bf4ef0d17736357e07fe530e7baa1b6
SHA512 0afb779e5dc4d97cbfed4df0a26e9302c41ff32ae562bf77fea700a7d9ea461a62d004797278b07a507a624bb18621e1094a514c36a090b68a7151212efe1fcf

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

MD5 76e336ca62749eb4a3e471f170cb3017
SHA1 2588ef15faa7c05d60fe9bd77a066dfcd47c6722
SHA256 675b2b3f3ef7b84bfa272130e1fe70ec52132badb2f21ca771907bb05be494be
SHA512 2ae20120e106893dbec0a2c48b86602bdbb2bd928633d59e54e5075ff525404a6ed935215b54fe547f7fa80bc138bfeb051a87c15ab655ff6b5abd0cd45adc14

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 df8314eb0dae6091c41f697729a97af5
SHA1 3dc5a38593185bd39eb92455ba5da9488990ce6c
SHA256 c98b441f54c471e1437fbf5dbc2b59e130af03456048fbea7657d93999560db7
SHA512 8db2c7b1b4f51ad0afa982c2e1abad7efd1a208a9e14927ce66288fda58c97f150c5ae0c32f3a06e4f8ba00798ad38e0a343f5a6bcb8413700effe93c9a91e35

memory/2744-5647-0x0000011F43C90000-0x0000011F43CB0000-memory.dmp

memory/2744-5654-0x0000011F43C50000-0x0000011F43C70000-memory.dmp

memory/2744-5655-0x0000012745260000-0x0000012745280000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921384547499786.txt

MD5 47a4ff6651a6ebe2afb78d818e46dd8d
SHA1 e067066b8517d3c5c307801bb8e7c0f8a5347115
SHA256 ac89c0958969e99c2b73a36a3ccc0088452612b3074f15797e278d7cc0380fa4
SHA512 5876248e231761f8e1ce00c58f9aa80d3d96270fffc03e2be0d165a1a086dceac2bd1bb3a609efa4ac58197896753b26bc74d3c18186acf8a6959ce5bd8bd046

memory/4040-5731-0x0000027A2AB20000-0x0000027A2AC20000-memory.dmp

memory/4040-5732-0x0000027A2AB20000-0x0000027A2AC20000-memory.dmp

memory/4040-5736-0x000002822CC00000-0x000002822CC20000-memory.dmp

memory/4040-5770-0x000002822CBC0000-0x000002822CBE0000-memory.dmp

memory/4040-5771-0x000002822CF50000-0x000002822CF70000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXMWSROC\microsoft.windows[1].xml

MD5 d1fa3bb8936674b1a19634902bdfd5c8
SHA1 0ac11dd3a241056ea263e2a529558131da75a3bd
SHA256 880169ece509a987d4fe7f9f034d9fd302755704371fc2b54aa7b1e0f1f9395e
SHA512 2a49cebbbe0e9aff80dbc0f7ecf631054c986964132fc7d2325362d493d5ee50fb518de881f57972e8b6d21beb62c554392b7a06fd015d3f7548d6d71826678c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 585d59e56728fdeb3389e4fb7cd6bc3b
SHA1 bb169c6ec156a09bb60dc354958cd6cb3dd46090
SHA256 b16aa654cb4f6d1111954f861e1c2ff9ff2e97a4f5e9bed6ff3ae4cf9c1ac828
SHA512 212de690d347865bfbd5aebcae465b6eac5187013a9fe0b07e0275bf58e6f25d29b981c20a06ed894c2d3203090f51250e414b4b4dde7ede1f523670c3822665

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 a700bf85ea76215925e01281cdb77e0a
SHA1 11f39902e4119d7aab491faadb6e0130de0f7bff
SHA256 9f1931f5df753efff55d89290a3c15308127f4973b72b73676e68a7562ed3adc
SHA512 74c615a08fce167f2438f70be1fd2a720ae4de7a3809e5483ce0a84eac31990c0950e9acf45051a17852256d56e4c47c2089d3f01b23134c87cdc62338b12327

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921384630886023.txt

MD5 b9a3570135c6cdac61e23a655424bb81
SHA1 b25c823b867b820fa34e0d61892c99af1b3db241
SHA256 e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6
SHA512 73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\apps.schema

MD5 1659677c45c49a78f33551da43494005
SHA1 ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA256 5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512 740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\apps.csg

MD5 5475132f1c603298967f332dc9ffb864
SHA1 4749174f29f34c7d75979c25f31d79774a49ea46
SHA256 0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA512 54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{fb7ba1ed-65f5-4473-9f36-acefac690084}\appsconversions.txt

MD5 f96bc17471a5a7512f96d1a7e96dc2ec
SHA1 dff2604dcf06f7da9566028771f81f3eb117105d
SHA256 d7b7ae405896463f8628f1acee505da01c95779aea86f6b63f3a426745030237
SHA512 01462aff1f1ca9fbc7a421a826984112cbef1546a41057213d76ad99fbf64ef131eb989fd3ae2bba1fac3c82c1081fd7c23b3b5d331bbe9d484f76d4ec57968d