Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-rxrlhshr7y
Target 2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch
SHA256 991c07d9836f6523cd1a62e546a9aaf35ddde4b45c7154b02c963187c365bbec
Tags
gofing credential_access discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

991c07d9836f6523cd1a62e546a9aaf35ddde4b45c7154b02c963187c365bbec

Threat Level: Known bad

The file 2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch was found to be: Known bad.

Malicious Activity Summary

gofing credential_access discovery ransomware spyware stealer

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Gofing family

Gofing

Renames multiple (52) files with added filename extension

Manipulates Digital Signatures

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Drops Chrome extension

Drops desktop.ini file(s)

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 14:34

Signatures

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 14:34

Reported

2025-05-19 14:37

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

Signatures

Gofing

ransomware gofing

Gofing family

gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (52) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Downloaded Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dism\de-DE\FfuProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\PS_VpnConnectionIPsecConfiguration_v1.0.cdxml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\pwrshmsg.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\msmpeg2enc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fi-FI\APHostRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\SMBHelperClass.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\dot3gpclnt.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\uk-UA\cmlua.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\RdpSaUacHelper.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\en-US\MSFT_WaitForSome.schema.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\licmgr10.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\netshell.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\wsp_fs_uninstall.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0804\_setup.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\sc.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\srm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\apphelp.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\PerceptionDevice.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\atmlib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\gcdef.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\msacm32.drv C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\PS_MMAgent.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\BlbEvents.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HypervisorPlatform-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\msdrm.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\onexui.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\sxstrace.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\imageres.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ucmhc.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_WsdPrinterPort.format.ps1xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\rsop.msc C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\dot3api.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\rawxml.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\lcphrase.tbl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\p2p-pnrp.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\whqlprov.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\fr-FR\portabledevicestatus.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\MMFUtil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDSORA.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Windows.Storage.OneCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\mstask.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\Dism\es-ES\LogProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\txfw32.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\System32\AssignedAccessRuntime.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDFTHRK.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\mfc100ita.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\en-US\hform.xsl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\uk-UA\netdacim.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\ntlanman.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\rdpviewerax.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\wbem\de-DE\FolderRedirectionWMIProvider.mfl C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\en-US\compmgmt.msc C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\es-ES\UserDeviceRegistration.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\iemigplugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\wmitomi.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\fwpuclnt.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\it-IT\gpsvc.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\ja-JP\ntlanman.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\de-DE\cmutil.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\KBDINORI.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\MSFT_GroupResource.schema.mof C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\Analytics C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140u.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinTranslator.xml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TabTip32.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLL C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Data.DataSetExtensions.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\selector.js C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\5.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_da.json C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-200.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\Microsoft.Windows.ApplicationServer.Applications.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Web.Routing.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\SmartScreen.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\Candara.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0409\sqlsoldb.chm C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmcom1.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\microsoft_bluetooth_hfp_hf.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1036\FileTrackerUI.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.ja.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.Build.Conversion.v4.0.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\it-IT\Power.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\megasr.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\JSC.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Security.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\msbuild.exe.config C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\TerminalServer.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\it-IT\M1040ElsaV2.INI C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Help\mui\0C0A\cliconf.chm C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Collections.NonGeneric.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ja-JP\ServiceModelInstallRC.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\aspnet_regbrowsers.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\sbp2.PNF C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_RHP.aapp C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\CacheSize.txt C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.de.resx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\mscoreeis.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Windows.Forms.DataVisualization.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\Microsoft.AppV.AppVClientWmi.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\es-MX_BitLockerToGo.exe.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\aspnet_compiler.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Http.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\PowerShellExecutionPolicy.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\M1041Ichiro.INI C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Fonts\bahnschrift.ttf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\prnms011.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\WinLogon.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\Sensors.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Boot\Resources\de-DE\bootres.dll.mui C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\.NET Data Provider for SqlServer\0000\_dataperfcounters_shared12_neutral_d.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-black.png C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Configuration.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeveloperLicense.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.DeveloperLicense.Commands.Resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\PolicyDefinitions\en-US\AppxPackageManager.adml C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_netclient.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\mdmx5560.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ja\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.WorkflowServices.resources.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\Cursors\aero_arrow.cur C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\c_scmvolume.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A
File created C:\Windows\INF\netvg63a.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe N/A

Browser Information Discovery

discovery

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "You have selected %1 as the default voice." C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "en-US" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Lts Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Pablo" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Julie" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-1041-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR es-ES Locale Handler" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{31350404-77AC-4471-B33A-9020A2EDA1D1}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{2984A9DB-5689-43AD-877D-14999A15DD46}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Julie - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR it-IT Locale Handler" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Ayumi" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "German Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Pablo - Spanish (Spain)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Cosimo" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Hedda - German (Germany)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR es-ES Lts Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Helena - Spanish (Spain)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Sie haben %1 als Standardstimme ausgewählt." C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Ichiro" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Near" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9faa3989e1c265c64243e541933006a4_cobalt-strike_frostygoop_ghostlocker_gofing_luca-stealer_sliver_snatch.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
NL 2.16.106.207:443 www.bing.com tcp
NL 2.16.106.207:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Program Files\7-Zip\7-zip.dll

MD5 7d23f494eb481c8e8218a4d5d256c2a8
SHA1 08374433e7f1d31a8686a81beadc6f7e5e6d6458
SHA256 1058ec1dccf26989b31c1cee50c7e611382b8604a5434fc6b4e366fc0c964415
SHA512 6906ba12f751baabc88b3bd55c61a4b8dd619a3f4d73ba8e9983c5f9844d668ceded89f4782c7106c13740a2b91fe9bf071d91c43e6d3b98068e38f6efb64164

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

MD5 4e291df50371d2e638e6a06facd3c167
SHA1 037d9818ca840983ac914a284925c00600166dba
SHA256 f44b83b8b8294826cddc74a243bfafca6384119a0f86e6b0d97cf18d8384dc71
SHA512 26fd858d2fa19f245e6f4395c97bf4ed8e7ceadbef0e772bea5df45f2995ea56028151582ff8dc99c01911afd2c0e352e9c0b8f897858832d5830c8056dbef24

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 00c7f3ed978b5c62695a5acb5553a493
SHA1 7077ecd9d2a9f7a25c71c01ef8169ed70ddfe8f3
SHA256 991223388174e48476ec0744a4b928ed812266c5f5f8c1fc6338c55f09c0a3f6
SHA512 4ca590859c17503fa990e53c0b25540b5c1849516cb756d1a03850aa327e32994bcb857c9f7d36b6b8bb1ead273236fba5fd6b37dd84f8572803c82b7272deac

memory/2256-5879-0x00000290E9840000-0x00000290E9860000-memory.dmp

memory/2256-5887-0x00000290E9800000-0x00000290E9820000-memory.dmp

memory/2256-5888-0x00000290E9B80000-0x00000290E9BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\T8NJX1ZX\microsoft.windows[1].xml

MD5 ab679a886ba5bdef46117adbc46673e9
SHA1 12a618ecf20dd5badf25804d865bc7999d35fdf0
SHA256 a030bd09e7e25a30fa07ca6f7ab78d9c31e966c1a9decea5b6d4082796d2c105
SHA512 71bf6f403280b00aa89e007e75355b69a8feb4aa21948386f9cc3ecf8c3f823f52ab3c9732292a0892f25277d48b2efb4f7ddcf6b90612ac2125e9097012aacf

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 afe53fbbff0f11ad7c1560e5f7637352
SHA1 ddbbb3d0a851c0b665e603dd699c978097ce8425
SHA256 088ce95aabb8e49ac41da4e8c1ab709c88a79a797b978b1db4174e1e66eaa193
SHA512 65f3a35969b9db97761ee227ee2839f0498b84472569387883d8085fe391080b1e0ecfc1066877201f1b60cdd44163714153dedfd9e78210587d9522097b6e48

memory/3556-5927-0x0000021E50B80000-0x0000021E50BA0000-memory.dmp

memory/3556-5928-0x0000021E50B40000-0x0000021E50B60000-memory.dmp

memory/3556-5929-0x0000021E50F50000-0x0000021E50F70000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133921390014919862.txt

MD5 b9a3570135c6cdac61e23a655424bb81
SHA1 b25c823b867b820fa34e0d61892c99af1b3db241
SHA256 e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6
SHA512 73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0