gofing | b86000a8e36f69a5767bab47f4a77c42ec1cedbb066ef685a0c0e828cb570981

Analysis

max time kernel
132s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
Size

4.2MB
MD5

aa627512df8f39f8522ce27a1b9721dd
SHA1

23ddc0cc55e3eb4717f6e9f12b8c01e0c7cf036c
SHA256

b86000a8e36f69a5767bab47f4a77c42ec1cedbb066ef685a0c0e828cb570981
SHA512

5798ada28d270397210fa1ee0e759d65584afc89d0a19c3eccd9bcb64fe0f882165c9d4ba8e8baa335b4c6f9040b9bcb1d49d43615e9188e66b5e8e81b7d1360
SSDEEP

49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4R:ieF+iIAEl1JPz212IhzL+Bzz3dw/Vb

Score

10^/10

gofing credential_access discovery ransomware spyware stealer

Malware Config

Signatures

Gofing
Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.
ransomware gofing
Gofing family
gofing

Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation. 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022a2b-4.dat	family_gofing
behavioral2/files/0x0002000000021b45-5435.dat	family_gofing
behavioral2/files/0x0002000000021fd2-5452.dat	family_gofing

Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Loads dropped DLL 64 IoCs

pid	Process
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Public\Downloads\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Libraries\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Links\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Downloads\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Pictures\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Searches\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Offline Web Pages\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Desktop\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Favorites\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Documents\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Music\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Media\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Desktop\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Public\Documents\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Admin\Videos\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000e\_setup.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\UiaManager.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Windows.Internal.Devices.Sensors.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDSMSNO.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}4105.bin	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\SettingMonitor.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Windows.AI.MachineLearning.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\DfsShlEx.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\F12\fr-FR\IEChooser.exe.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\IME\SHARED\imecfmps.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001a\_setup.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\RTMediaFrame.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\TransmogProvider.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\F12\es-ES\F12Platform.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDTAJIK.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Vault.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Dism\TransmogProvider.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPSKF.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDHELA2.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Windows.Devices.LowLevel.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\AuthFWSnapin.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\it-IT\BaseResource.Schema.mfl	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\L2SecHC.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\MixedRealityRuntime.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\fr-FR\sapi.cpl.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\VES-SeeItSayIt.0411.grxml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDCZ2.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDHEPT.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDTIPRD.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Keywords\ti_dnn_fast_pt-BR.table	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\LocationFrameworkPS.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\SyncInfrastructureps.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\ExtrasXmlParser.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\ActionCenter.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\fr-FR\BaseResource.Schema.mfl	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\D3DSCache.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Dism\de-DE\DmiProvider.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Dism\de-DE\GenericProvider.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\_setup.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\KBDUSR.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\en-US\MSFT_MetaConfigurationExtensionClasses.Schema.mfl	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\DafPrintProvider.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\HrtfApo.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\OneDrive.ico	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\SensorsCpl.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\SmartcardCredentialProvider.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\DefaultPrinterProvider.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Dism\en-US\IntlProvider.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WinMetadata\Windows.Media.winmd	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Windows.Networking.NetworkOperators.ESim.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\AUDIOKSE.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\SysWOW64\WfHC.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-125.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-400.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-125.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-lightunplated.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-200.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\3DViewerProductDescription-universal.xml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-200.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-150.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileWide.scale-100.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-200.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_gu.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\zh-CN.pak	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-400.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-400.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-125.png	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\Microsoft.Build.Engine.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\dv_aspnetmmc.chm	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\iSCSI.admx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\ja-JP\JaJP.name.dat	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\lsi_sas.inf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Collections.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Data.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Emit\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Reflection.Emit.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\courft.fon	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Fonts\palab.ttf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\VolumeEncryption.adml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\mdmmega.inf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.it.resx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\MSBuild.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.Runtime.Caching.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Globalization.Calendars.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Security.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Provider.aspx.it.resx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.fr.resx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe.config	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\SMSvcHost 3.0.0.0\0000\_SMSvcHostPerfCounters_D.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Data.OracleClient.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\1041\admin.chm	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\System.ServiceModel.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WindowsFormsIntegration.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Log.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\System.IO.Log.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.Windows.Presentation.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Boot\PCAT\tr-TR\bootmgr.exe.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\hiddigi.PNF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\L2Schemas\WWAN_profile_v1.xsd	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\managePermissions.aspx.resx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Linq.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.context.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\TermService\tslabels.h	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.resx	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.Security.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\PERFLIB\0411\perfc.dat	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\INF\tdibth.PNF	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\Tracking_Schema.sql	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.Data.OracleClient.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Security.Resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\vbc7ui.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\aspnet_compiler.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.ini	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\normidna.nlp	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\de-DE\PreviousVersions.adml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\PolicyDefinitions\de-DE\nca.adml	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Resources\Themes\aero\uk-UA\aero.msstyles.mui	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonExt.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.ServiceModel.Routing.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\Microsoft.Build.Engine.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\System.ServiceModel.Web.resources.dll	2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\MSTTSLocesES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1031-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - fr-FR Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "CC"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo - Spanish (Spain)"	SearchApp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2396	SearchApp.exe
396	SearchApp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4972	SearchApp.exe
2396	SearchApp.exe
396	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_aa627512df8f39f8522ce27a1b9721dd_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch.exe"
1⤵
- Drops startup file
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
4.2MB

MD5
15c19275212f30393f4ad70bb124949c

SHA1
3ebb69edbf29051d3feaf5a1a840e3407b66cbc7

SHA256
2c2f4105530b068e7cbc57aca18edce7282502e8d60b22b7f4f58abee15859b1

SHA512
5413d24524d30a959ba002f613226011deaf9febd3f358455560a873576f90fc0c6d2ed0c39b4cfd4723d8dc026b93bcf78babe198ff9605bb1f282f187275f3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
4.4MB

MD5
020460534c8c874a99b6492a7c5f675f

SHA1
be6408f26d4a4c9d2961478dade7e4f3fe083031

SHA256
13b300b8d224620cab9fa85ab817302354e15ab0645e612bd9760b22f225ad97

SHA512
581fbb85dfc260e388b021f782c11b29d37cd135dcf03f40cbc70d545151493ce378309d9a31bad46458cfd7084a2bbaae2540eaeac16f231afe702df0a975fc

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
5.8MB

MD5
fd02ad853e59441d7995fc6ffcf01093

SHA1
d1cd7104422325f26778b56fc04f20d1eef84cc6

SHA256
229a25dc79780b371097c097107fbc182b8ae7cc58d43c7e2e5a5a53793dff10

SHA512
481051510dfe19ee6288ca6434b039ea6f42b679934b0c50b2a73405ef8fad61a5bfbed6e92fe44b5ae4563b7cbc3cea246681ef7b0bfa874f6a72ab5407faa2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7V6S7ER6\microsoft.windows[1].xml

Filesize
96B

MD5
b8166526c84ccfb1ad9551c5859d6f46

SHA1
0e6e5ad925ecb18b53bbc50f49739383fccaeeba

SHA256
45c3d89194c930caaf8c9eb3e731f965f66d4da43f5ea09e75d2d5af56a66a2e

SHA512
bfee9ad267a80233fff1d3cca395d4d91ae86a972344d2a84b95d3d4704d39a4e00bc6dedac123252aa6bd7b6cc136c5aeda7fc644a2b30fa430c9ae473cca7c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{48c0d5ed-aec9-4acf-ba5f-9baf4a856dc2}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{48c0d5ed-aec9-4acf-ba5f-9baf4a856dc2}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878349256190901.txt

Filesize
27KB

MD5
1d146d16b2c54677eaac87f56b692019

SHA1
4fbe0314b9716d9293abffe4037703089c8c4ce7

SHA256
84816b23a781f3d0dd4e9c0cb1524b63ba4a4f0bdf4f2d30d74998e2a8986ae4

SHA512
11fa32b19a62c2295047fbb8ba1785d01d82c5153d2b11b9cb72b1d02270eaaa6ac9a5e866b5267a1a276f0ec3b123cfc2c48f8af8151c90947abe0a9d721557

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133878349264788926.txt

Filesize
15KB

MD5
18bee33d1ae7e7ed4cff2dc793879d78

SHA1
dc48c4398fe220905c35a93b1bb1bb4235cae00f

SHA256
42031724f1ba0695be437e59142d6055b64543cfe3d86ea722736f575a840811

SHA512
7cba6d996376a7ebe347447ce43910a33cb124a9100bc7d745de24db1d277e0f3ad5ea2e89d8c9a30080079ccec9701e35c8fce579c108842ebe2eb14811309b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
277KB

MD5
cc1c9a63234fbb410468defdc66fcb24

SHA1
ddea4bb122734c56d95c3e9e69d551978eaf45d5

SHA256
174b129f3db14ba6b43e7b7b9d3bf816e2f15bd69c89b4da26841ed9971986a4

SHA512
65070892e0426186e408ad506f89aee76008d78c52e57472a94415f981a9b3ba5914285234258ad278df4b633c2d3d9d3cb7fcff6c75c43e4adb93586be95d6f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
276KB

MD5
a28f00b8ee65d75ff4f24f97fc445429

SHA1
8349d6f941c8a54fea1dd4e09e35c3a211a90c74

SHA256
bc831d0c0b1bd312af0fd7d14014daac3af4da7dbf66433d4bfd9c83b2669ba8

SHA512
794af2866cdfb4b8203dc6c511a4a28067b01791752b6f59679982fdf2b51395bed5c3dcd29f2b78ef6be7e748ec2e102b10172858a22b8cd72283f3aa361769

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
13KB

MD5
380c22089e2e14f9bbdadcb701523447

SHA1
2fa63eb6773b190c2bcd1c4d4fae59c2c939c896

SHA256
e83633de231ffa57fab8df348883698ebd6550a687692178d09468f0ef3e9310

SHA512
a85bfbbdfc74e0faf2ea92131e81cd263769c60ec9389fe6c8e4f594598144dcc57595755c2f20ecd4170624915c8655991444756d57ed8dc94f00b14fd4116b

Download Submit
memory/396-6088-0x000001F8D6000000-0x000001F8D6100000-memory.dmp

Filesize
1024KB

Download
memory/396-6106-0x000001F8D69E0000-0x000001F8D6A00000-memory.dmp

Filesize
128KB

Download
memory/396-6127-0x000001F8D70F0000-0x000001F8D7110000-memory.dmp

Filesize
128KB

Download
memory/396-6093-0x000001F8D6D20000-0x000001F8D6D40000-memory.dmp

Filesize
128KB

Download
memory/2396-5861-0x000001F53FDE0000-0x000001F53FE00000-memory.dmp

Filesize
128KB

Download
memory/2396-5891-0x000001F53FDA0000-0x000001F53FDC0000-memory.dmp

Filesize
128KB

Download
memory/2396-5892-0x000001F5401B0000-0x000001F5401D0000-memory.dmp

Filesize
128KB

Download
memory/4972-5791-0x000002238BAB0000-0x000002238BAD0000-memory.dmp

Filesize
128KB

Download
memory/4972-5799-0x000002238BA70000-0x000002238BA90000-memory.dmp

Filesize
128KB

Download
memory/4972-5800-0x000002238BE00000-0x000002238BE20000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads