gofing | 9c38ed5f117376d3308f58e8d0a1fa7914944250134ba581fd3a08b3a957e493

Analysis

max time kernel
66s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

4.2MB
MD5

5baf2c6dbc142c015b967226a9458f06
SHA1

bc22f24e3b694a748c067816c11fba6557004e23
SHA256

9c38ed5f117376d3308f58e8d0a1fa7914944250134ba581fd3a08b3a957e493
SHA512

d9cea1233e4edc642668047ddce47bfb065391478a9a5e43278085e02a9cb285c3f221c05e743a8c59f436cbdd58d6fe5d64ea97983f11e363546dc95ae9ce0e
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4R:ieF+iIAEl1JPz212IhzL+Bzz3dw/VP

Score

10^/10

gofing ransomware

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 11 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022a7c-4.dat	family_gofing
behavioral2/files/0x0002000000021aa3-5440.dat	family_gofing
behavioral2/files/0x0002000000021a9a-5464.dat	family_gofing
behavioral2/files/0x000200000001e65b-5803.dat	family_gofing
behavioral2/files/0x00020000000227c3-5848.dat	family_gofing
behavioral2/files/0x00020000000227a4-5847.dat	family_gofing
behavioral2/files/0x00020000000227a3-5846.dat	family_gofing
behavioral2/files/0x00020000000227a2-5845.dat	family_gofing
behavioral2/files/0x00020000000227a1-5844.dat	family_gofing
behavioral2/files/0x00020000000227a0-5843.dat	family_gofing
behavioral2/files/0x000200000002279f-5842.dat	family_gofing

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-150.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService.winmd	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.INF	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-48.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-400.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\sending.gif	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryRight.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\3DViewerProductDescription-universal.xml	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated_contrast-white.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ca.pak	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-24.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-150.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\release	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-125.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTabControl.v8.1.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-200.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-125_contrast-black.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-125.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-fullcolor.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-200.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-32.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateHorizontally.png	2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_5baf2c6dbc142c015b967226a9458f06_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3356

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
5.9MB

MD5
480a7c553d90496e50da3eab85476f22

SHA1
24ec4ed3e106fb4f3299acaffafda3115bdadd10

SHA256
95e7d5f763d2875f0c8c5a30a30d7e3938c43e988a44848fd354dfa83ed224d5

SHA512
9eeb77e54c6f6b982369a9c41e366d66b509ceea0d6b21b82c3efa8b36f84f3203b6e35422adefc070d866af2e00ef12327492621b8b82b90f66fcadc12143af

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
4.4MB

MD5
ae728a4e3d40d6af58eda6c33d2d5fca

SHA1
c15d9fb0b8f78d9534e02eab822a83dc4c92c474

SHA256
2624585d5f0a994fdd91d589138d29c9ac2a2439bf5dd7c6bb1bf20d6e476a5b

SHA512
103f3cc83690942a871cbd9789e447a5850d7fbbeaaf51ccb76e8033ce4d02609fc215b6d67f6c6808e6b1ceb96abf727bbc9f06ee9e12858efb4ba3a737edeb

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
5f90c289bed95d2fec4f841cee459133

SHA1
6a4cac14deabf1c943ded76ea10ee6806e9d006f

SHA256
6bdbec905e4bcb9c5bee593eab028a4bcbd2f02d9629557985d872e525c95337

SHA512
7b9f70a9de05a7b4e2dc59ab94df03cd7917a79760c49c2224285f452be394a744e9869ca490aee7f0a19b43fa5a3e2d222a07744488404fcf83d38e48355f8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VQX1G21I\microsoft.windows[1].xml

Filesize
97B

MD5
339bbadc929df2042bb83ba4d8452a7f

SHA1
71a4baeb8f211ae0249be52e4ff20e217d62f9c1

SHA256
aea53d9f972a38ec4e75383ed441cb654354db1b243281f6376d75e804d9b4af

SHA512
220b455b983033a001ad30e0f7cd9cb9f82f4860e8d8e559f2cdcd211934a86226051ebccddf591fc6998746e8a0b2ef7bbaed7585a549d158488f0617e9d696

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

Filesize
2KB

MD5
0967d5c7131415944ed6ece1b56cefd7

SHA1
876a1ed49a98c575a1f8084f5c842e1659cdd81e

SHA256
7eccd26355162c89f1cbbd29f949d37bc2a0b8c0ab62b6b93b997d113c2cf164

SHA512
64f0bf0d6511d4648337abc7337c01c4ae842fc1525458570122b4d1fc7300d0b04860e17be4f6f1de81630243620520af044980a76865bdc437efdf75c91c06

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{2d0e5545-a19a-409a-8d3f-53b61aa2f549}\Appssynonyms.txt

Filesize
4.3MB

MD5
ceda935c7c5a941ae5987abef694d206

SHA1
2e19331efe47375a13be415e7935c7a65b12ed89

SHA256
59f1d9abf097bcf372be90e717e1dabd84ef1140ef5d667b2e1f541511142121

SHA512
b403fba88c5c0b642a30b724c3bb00d2afdc737c8f2cbda8817cc69986d0d85ba8a9d358c1ef68abadeee4cde48a024342861d5b5051401706cde89aad60c5cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878347855215645.txt

Filesize
26KB

MD5
5808f367ef5879794426180861589c1a

SHA1
4951e524f11c3b9e7bf7210749c322943f9ba3ee

SHA256
a848aa5e36ae5dc2a596971dbb802bf14fc2c4ec84dc0b734f14ef8499e5920f

SHA512
b5a5f5238ca963d821389942d7741e7c2eff6e03af0378b4594a9b315d33da61b26c6841a03a64aa3a89837f92cc5d88f07e537445f40a8bc0747ef98de54ee1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878347903716860.txt

Filesize
14KB

MD5
b9a3570135c6cdac61e23a655424bb81

SHA1
b25c823b867b820fa34e0d61892c99af1b3db241

SHA256
e193af6a87eea12acbb0e56ca2c4e0b078e4c775d8b0f46c327eeb0ce00ce2e6

SHA512
73f70af649bf07c3c9c9298c78f8fc1168be976af14b7e381ccf33fef36cfc4809becb8d2c7ecb5ea8d198f7bdf1c2f30ed1c800df4086099215c8ade7d86ca0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
12KB

MD5
da314ba5def7ad83d3650f89f9055a3c

SHA1
3f97270683b4abb035ba405be9e6a3b88bfe80c0

SHA256
ecf0a40cee0379b8d6f80d1848b1a508793d5a108e8d520f0478956d434cfb9f

SHA512
0c1af970605c34f14c41f0c1041efcbe961c33a4c9d44807bd6107cced1469ce5f02dfac3695a84089594ce0283ca7df40197ce287b200f8d5b964db31e90fb9

Download Submit
C:\WINDOWS\FONTS\ANTQUAB.TTF

Filesize
4.3MB

MD5
6a04973651d3176e25cd5a26b5e6b71f

SHA1
7b432828fb9c45276c3e4b3df846d29b3a7ed8a1

SHA256
eedce13e3aee381790c9ee4681cbcc29fe6a5f241a03260bc5233446e329b8a9

SHA512
a48752a4ad615231ae838dbeaa423c571df775f6693d128062b67b90fb14c731e572f8864373b78cbf30733dbf3629da7372f348c8a9c0d86521baedeb297c15

Download Submit
C:\WINDOWS\FONTS\ANTQUABI.TTF

Filesize
4.3MB

MD5
61023971d1556c08510e4f5d579ef0a5

SHA1
af525f3d1adf45b44339f75155c86cdbaae6158a

SHA256
a495efc7cf0be2961140d56c9b45620396e6c778f3620d2a3cb5601ea51ed57a

SHA512
9162ec3fab8585bbefe9e359c4b2b399bf29065c265e8759fa4b7968ef917d81e72170d3b96489306dd996910f91e99c9801fe87dddb3161efd5751e403276dd

Download Submit
C:\WINDOWS\FONTS\ANTQUAI.TTF

Filesize
4.2MB

MD5
c3e769024c5eb303d1b03336caacfc37

SHA1
7bd4bfce495dabaa4d8d19d905661afc69be450e

SHA256
783ed2d8729a3c58bf6871b7d755e8107555f17c59b2cbbbcb44bd72526cf432

SHA512
a3ea8dd5a6929b09a2f0ce5d067bf4ed9015792a1438e6abf3cd5e8f4d470da7b72cb5f1fb2cb8423ee3b8c1fb84c8d1d683b6e96b9195729a6c22e8fe336f35

Download Submit
C:\WINDOWS\FONTS\ARIALN.TTF

Filesize
4.3MB

MD5
ab13e210d88a4ca2fe864e6b97dfa5f3

SHA1
77f5f1bc704b9b832784a56db6ea9d561e85aedf

SHA256
319635891c57b3f55e3e650c18ac83d0b071542ae627de06fa925538fb324588

SHA512
a8b3778bbfd6c5dc58a6d04fe47a8897be4892defbcc4ce196d926ce4da0286cb4294c4d4b0e4b467f10f610cb5ebf69652ba62f82634815133a1741cbe0f8ea

Download Submit
C:\WINDOWS\FONTS\ARIALNB.TTF

Filesize
4.3MB

MD5
b9fd5608bd1ed9c181c5c8e31cdba52d

SHA1
f279e2538c76474c76ed20ba43f3eadc320f3894

SHA256
d801e9bb6a34fd8179bebef1c7aa8ec5dedd5ad61266590ee7209d4de8c96250

SHA512
61d54282b96532bdffee7b55f1a75e87b9ea2eb93ea70d9b1c29926afbd911e1cab53928f41a0dc75f5d7524d8598c7984ff98459e1e7c10d8d91f4ec06d702e

Download Submit
C:\WINDOWS\FONTS\ARIALNBI.TTF

Filesize
4.3MB

MD5
9cc22829e7816638aab381d7881a340d

SHA1
4b4e57e0a3600add356971ca299625eca6236417

SHA256
b6895785362260f7ffd073bcc5b9e317af634870b932e6b7af47c2fb1c7f7fb9

SHA512
2b07dea542de0c3b5701c3bbdf2f3ce41ceb3c8f5f2973e5a547416d7e5bf490dd5896751e7b8fa712172429b9311c012566343a2de5a41be394804395daad81

Download Submit
C:\WINDOWS\FONTS\MSUIGHUR.TTF

Filesize
4.3MB

MD5
9d67620950670e377d956069fe4e59b3

SHA1
94b502112fbbb00fffced6293b3c2a25cac6d307

SHA256
b9a83c8c1498cf70f9c1788f7d4a332f6084e29216359e734c6e27484247f7e6

SHA512
bad5b8620d9e152c4f4685e6341c8c16e827928a639400082c60b76738134247e1a483339c0da3236a9b1cfb4c11235f12df4a465c9b4f3e8e0b556ca15427f9

Download Submit
memory/3400-5856-0x000001852F660000-0x000001852F680000-memory.dmp

Filesize
128KB

Download
memory/3400-5887-0x000001852FA20000-0x000001852FA40000-memory.dmp

Filesize
128KB

Download
memory/3400-5865-0x000001852F620000-0x000001852F640000-memory.dmp

Filesize
128KB

Download
memory/3876-5797-0x000001C8784C0000-0x000001C8784E0000-memory.dmp

Filesize
128KB

Download
memory/3876-5796-0x000001C878130000-0x000001C878150000-memory.dmp

Filesize
128KB

Download
memory/3876-5788-0x000001C878170000-0x000001C878190000-memory.dmp

Filesize
128KB

Download